Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites. Discovered by Patchstack's threat researcher Dave Jong, the two vulnerabilities have been reported to the theme's vendor, 'ThemeForest,' with one flaw fixed in version 2.6.4 (August 2022) and the other in version 2.7.2 (November 2022). However, some websites have not applied the security update, leaving them vulnerable to attack.
The first vulnerability, tracked as CVE-2023-26540, is a security misconfiguration impacting the Houzez Theme plugin version 2.7.1 and older and can be exploited remotely without requiring authentication to perform privilege escalation. The second flaw, CVE-2023-26009, is also rated critical and impacts versions 2.6.3 and older, allowing unauthenticated attackers to perform privilege escalation on sites using the plugin. According to Patchstack researcher Dave Jong, threat actors exploit these vulnerabilities by sending a request to the endpoint that listens for account creation requests. "Since the desired user role can be provided by the user, but is not validated properly on the server side, it can be set to the 'administrator' value in order to create a new account that has the administrator user role," Jong said. After gaining access, attackers can upload a backdoor capable of executing commands, injecting ads on the website, or redirecting traffic to other malicious sites.
Website owners and administrators should apply the available patches with the utmost priority, as Patchstack reports that the flaws are being abused. The version that fixes the first flaw is Houzez theme 2.7.2 or later, while the version that addresses the second security threat is Houzez Login Register 2.6.4 or later.