Hackers are actively exploiting two critical vulnerabilities in the Houzez theme and plugin for WordPress, according to a report by Patchstack. The Houzez theme is a premium plugin that costs $69 and is used primarily in real estate websites, serving over 35,000 customers.
The two vulnerabilities were discovered by Patchstack’s threat researcher Dave Jong and reported to the theme’s vendor, ‘ThemeForest.’ One flaw was fixed in August 2022 with version 2.6.4, and the other was fixed in November 2022 with version 2.7.2. However, some websites have not applied the security update, and threat actors are actively exploiting these older flaws in ongoing attacks.
The first Houzez flaw is tracked as CVE-2023-26540 and has a severity rating of 9.8 out of 10.0 per the CVSS v3.1 standard, categorizing it as a critical vulnerability. It’s a security misconfiguration impacting the Houzez Theme plugin version 2.7.1 and older and can be exploited remotely without requiring authentication to perform privilege escalation. The version that fixes the problem is Houzez theme 2.7.2 or later.
The second flaw has received the identifier CVE-2023-26009, and it’s also rated critical (CVSS v3.1: 9.8), impacting the Houzes Login Register plugin. It impacts versions 2.6.3 and older, allowing unauthenticated attackers to perform privilege escalation on sites using the plugin. The version that addresses the security threat is Houzez Login Register 2.6.4 or later.
Due to a validation check bug on the server side, the request can be crafted to create an administrator user on the site, allowing the attackers to take complete control over the WordPress site.
In the attacks observed by Patchstack, the threat actors uploaded a backdoor capable of executing commands, injecting ads on the website, or redirecting traffic to other malicious sites. Patchstack reports that the flaws are being abused when writing this, so applying the available patches should be treated with the utmost priority by website owners and administrators.
Therefore, website owners who use the Houzez theme and plugin must immediately update their websites to the latest version of Houzez to prevent attackers from exploiting the vulnerabilities.
