On Monday, Patchstack, a WordPress security company, warned that a severe vulnerability in the Houzez premium WordPress theme has been utilized in the wild.
Houzez is a popular real estate industry theme with over 35,000 sales on ThemeForest. It is designed to provide agencies with a powerful way to manage their content and listings.
Patchstack CTO Dave Jong uncovered that the Houzez theme and its associated Houzez Login Register plugin are impacted by a critical vulnerability that can enable an unauthenticated attacker to hack WordPress websites.
The flaw, tracked as CVE-2023-26009 in the plugin and CVE-2023-26540 in the theme, allows an attacker to acquire administrator privileges on a WordPress site with the help of a maliciously crafted request. The attacker would need to visit the targeted website, grab a nonce token associated with CSRF protection, and then send the malicious request to the account registration endpoint provided by the Houzez theme or plugin.
The vendor was informed about the security hole and patched it with the release of versions 2.6.4 (plugin) and 2.7.2 (theme). Patchstack has noticed exploitation attempts in the wild, and according to the CTO both the theme and the plugin have been targeted. However, the plugin seems to be targeted more than the theme — it’s unclear why.
If a website is exploited with this vulnerability, the attacker is likely to upload a malicious plugin which contains a backdoor, allowing them to inject advertisements into the website or redirect traffic to another malicious site. WordPress website owners and administrators using the Houzez theme should ensure that their installation is patched to prevent malicious exploitation.
Key Points:
- A critical vulnerability in the Houzez premium WordPress theme has been exploited in the wild.
- The flaw, tracked as CVE-2023-26009 and CVE-2023-26540, allows an attacker to acquire administrator privileges on a WordPress site.
- The vendor was informed about the security hole and patched it with the release of versions 2.6.4 (plugin) and 2.7.2 (theme).
- Patchstack has noticed exploitation attempts in the wild targeting both the theme and the plugin.
- If a website is exploited with this vulnerability, the attacker is likely to upload a malicious plugin containing a backdoor.
- WordPress website owners and administrators using the Houzez theme should ensure that their installation is patched to prevent malicious exploitation.