Two critical severity vulnerabilities in the Houzez theme and plugin for WordPress are actively being exploited to hijack websites. The vulnerabilities, tracked as CVE-2023-26540 and CVE-2023-26009 are both privilege escalation flaws having a CVSS severity rating of 9.8 out of 10, classifying them as critical threats that need immediate attention.
The Houzez theme is a premium plugin and provides an amazing experience user. Its creator claims that the plugin used by more than 35.000 real estate clients.
However, according to a recent report by Patchstack, some websites have not yet applied the security update and are at risk of being targeted by malicious actors who are still exploiting these known vulnerabilities.
The first flaw, CVE-2023-26540, is a security misconfiguration in the Houzez theme plugin itself and the second flaw, CVE-2023-26009, impacts the Houzez login register plugin instead. The vulnerabilities can be exploited by sending a request to the account creation endpoint listener. These were fixed in version 2.7.1 and version 2.6.3 of the plugin respectively.
The plugin allows users to add new accounts with varying levels of access. Because of a validation check bug on the server side, a maliciously crafted request can create a new administrative user on the site, giving the threat actors complete control over the site’s WordPress backend.
Affected version
Vulnerability affects all versions prior to version 2.6.3, allowing unauthorized attackers to gain elevated privileges on sites using this plugin.
upgrade to Houzez Login Register version 2.6.4 or later
Leave A Comment