Patchstack warns that hackers may exploit two premium add-ons primarily used on real estate websites. The Houzez theme plugin, which costs $69, claims to serve over 35,000 customers in the real estate industry by offering easy listing management and a smooth customer experience.
According to Patchstack’s threat researcher Dave Jong, the two vulnerabilities were discovered and reported to the theme’s vendor, ThemeForest, with one flaw fixed in version 2.6.4 (August 2022) and the other in version 2.7.2 (November 2022).
Despite the availability of security updates, a recent report from Patchstack has warned that some websites have not applied the patch, leaving them vulnerable to ongoing attacks.
Patchstack reports that the first Houzez flaw, CVE-2023-26540, has a severity rating of 9.8 out of 10.0. That rating makes it a critical vulnerability. The flaw is a security misconfiguration impacting the Houzez Theme plugin version 2.7.1 and older, allowing attackers to perform privilege escalation remotely without requiring authentication. The version that fixes the problem is Houzez Theme 2.7.2 or later.
The second flaw has received the identifier CVE-2023-26009, also rated critical (CVSS v3.1: 9.8), and impacts the Houzez Login Register plugin. It impacts versions 2.6.3 and older, allowing unauthenticated attackers to perform privilege escalation on sites using the plugin.
The version that addresses the security threat is Houzez Login Register 2.6.4 or later.
How hackers exploit the flaws
Threat actors exploit these vulnerabilities by sending a request to the endpoint that listens for account creation requests. Due to a validation check bug on the server side, the request can be crafted to create an administrator user on the site, allowing the attackers to control the WordPress site completely. In the attacks, the threat actors uploaded a backdoor capable of executing commands, injecting ads on the website, or redirecting traffic to malicious sites.
Given that the flaws are currently being abused, Patchstack emphasizes that website owners and administrators must apply the available patches urgently to avoid becoming vulnerable to attacks.
Also read: More than 11,000 WordPress websites compromised by malicious script