Critical vulnerabilities discovered in popular Houzez theme and plugin for WordPress
Reading Time: 3 Minutes
Houzez theme and plugin for WordPress hit by critical vulnerabilities
The Houzez theme and plugin for WordPress, widely used in the real estate industry, are under attack from cybercriminals exploiting two critical-severity vulnerabilities. Despite being reported and fixed in versions 2.6.4 (August 2022) and 2.7.2 (November 2022), respectively, not all websites have applied the security update.
Hackers are actively exploiting these older flaws, which are enabling them to take control of sites. Patchstack’s threat researcher Dave Jong discovered the two vulnerabilities and has issued a warning that website owners and administrators must apply the available patches immediately.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
The severity and impact of the critical vulnerabilities
One of the flaws, CVE-2023-26540, is a security misconfiguration in the Houzez Theme plugin version 2.7.1 and older. The vulnerability can be exploited remotely, without requiring authentication, and allows for privilege escalation.
The second vulnerability, CVE-2023-26009, impacts the Houzes Login Register plugin, and unauthenticated attackers can perform privilege escalation on sites using the plugin. In both cases, hackers are taking advantage of a validation check bug on the server side, enabling them to create an administrator user on the site and take complete control over the WordPress site.
Trending: Security Engineer vs. Software Engineer
Trending: Offensive Security Tool: SQLMutant
Urgent need to apply available patches to prevent abuse of critical vulnerabilities
In the attacks observed by Patchstack, the threat actors uploaded a backdoor capable of executing commands, injecting ads on the website, or redirecting traffic to other malicious sites. Unfortunately, the flaws are being abused, so website owners and administrators must apply the available patches immediately.
The severity of the vulnerabilities underscores the importance of keeping plugins and themes updated to protect against potential exploits. The vendor’s site claims that over 35,000 customers use the Houzez theme, and at $69 a premium, it’s a costly security risk for those who fail to apply the necessary updates.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
