Hackers Exploit Critical Vulnerabilities in Houzez Theme and Plugin

February 27, 2023

Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites. Discovered by Patchstack's threat researcher Dave Jong, the two vulnerabilities have been reported to the theme's vendor, 'ThemeForest,' with one flaw fixed in version 2.6.4 (August 2022) and the other in version 2.7.2 (November 2022). However, some websites have not applied the security update, leaving them vulnerable to attack.

The first vulnerability, tracked as CVE-2023-26540, is a security misconfiguration impacting the Houzez Theme plugin version 2.7.1 and older and can be exploited remotely without requiring authentication to perform privilege escalation. The second flaw, CVE-2023-26009, is also rated critical and impacts versions 2.6.3 and older, allowing unauthenticated attackers to perform privilege escalation on sites using the plugin. According to Patchstack researcher Dave Jong, threat actors exploit these vulnerabilities by sending a request to the endpoint that listens for account creation requests. "Since the desired user role can be provided by the user, but is not validated properly on the server side, it can be set to the 'administrator' value in order to create a new account that has the administrator user role," Jong said. After gaining access, attackers can upload a backdoor capable of executing commands, injecting ads on the website, or redirecting traffic to other malicious sites.

Website owners and administrators should apply the available patches with the utmost priority, as Patchstack reports that the flaws are being abused. The version that fixes the first flaw is Houzez theme 2.7.2 or later, while the version that addresses the second security threat is Houzez Login Register 2.6.4 or later.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.