The WordPress Houzez theme has two vulnerabilities that allow hackers to exploit it to target websites that employ the plugin. Based on reports, real-estate websites were the ones that primarily used the add-ons.
This WordPress theme is a premium plugin that costs nearly $70 and offers easy listing management and a convenient customer experience. The vendor’s site estimated that it serves more than 30,000 customers within the real estate industry.
Unfortunately, a new cybersecurity report revealed that some websites have not applied the security patch for the flaw, which allowed several threat actors to exploit it in the ongoing attacks.
The attackers could use the WordPress Houzez theme flaws to take over the websites.
The first WordPress Houzez theme vulnerability is CVE-2023-26540, with a severity classification of 9.8 out of 10, categorised as a critical flaw.
CVE-2023-26540 is a security misconfiguration impacting the Houzez Theme feature version 2.7.1 and older and can be exploited remotely without requiring authentication to perform privilege escalation. The researchers said that the new version of the Houzez theme that fixes the first flaw is 2.7.2 or later.
The second flaw, CVE-2023-26009, is also a critical vulnerability impacting the Houzez Login Register plugin. The affected versions are 2.6.3 and older, which enables authenticated attackers to run privilege escalation on websites that uses the earlier-mentioned plugin.
The version that fixes this newly discovered vulnerability is Houzez Login Register 2.6.4 or more recent.
A researcher explained that the threat actors abuse these flaws by sending a request to the endpoint that attends to account creation requests. Therefore, the proposal could be specially crafted to develop an administration user on the site due to a validation check flaw on the server side. This technique allows the threat actors to take over the WordPress website.
In an attack observed by a separate analyst, the attackers uploaded a backdoor that could run commands, inject ads on the website, or redirect traffic to other compromised websites.
Cybersecurity experts strongly advise WordPress sites that use these plugins to update their themes to the newest version since the threat actors abuse these flaws to execute malicious campaigns.
