Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites.
The Houzez theme is a premium plugin that costs $69, offering easy listing management and a smooth customer experience. The vendor’s site claims it is serving over 35,000 customers in the real estate industry.
The two vulnerabilities were discovered by Patchstack’s threat researcher Dave Jong and reported to the theme’s vendor, ‘ThemeForest,’ with one flaw fixed in version 2.6.4 (August 2022) and the other in version 2.7.2 (November 2022).
However, a new Patchstack report warns that some websites have not applied the security update, and threat actors actively exploit these older flaws in ongoing attacks.
Abused to take control of sites
The first Houzez flaw is tracked as CVE-2023-26540 and has a severity rating of 9.8 out of 10.0 per the CVSS v3.1 standard, categorizing it as a critical vulnerability.
It’s a security misconfiguration impacting the Houzez Theme plugin version 2.7.1 and older and can be exploited remotely without requiring authentication to perform privilege escalation.
The version that fixes the problem is Houzez theme 2.7.2 or later.
The second flaw has received the identifier CVE-2023-26009, and it’s also rated critical (CVSS v3.1: 9.8), impacting the Houzes Login Register plugin.
It impacts versions 2.6.3 and older, allowing unauthenticated attackers to perform privilege escalation on sites using the plugin.
The version that addresses the security threat is Houzez Login Register 2.6.4 or later.
Dave Jong told BleepingComputer that threat actors exploit these vulnerabilities by sending a request to the endpoint that listens for account creation requests.
Due to a validation check bug on the server side, the request can be crafted to create an administrator user on the site, allowing the attackers to take complete control over the WordPress site.
In the attacks observed by Patchstack, the threat actors uploaded a backdoor capable of executing commands, injecting ads on the website, or redirecting traffic to other malicious sites.
“Since the desired user role can be provided by the user, but is not validated properly on the server side, it can be set to the “administrator” value in order to create a new account that has the administrator user role,” PatchStack researcher D. Jong told BleepingComputer.
“After this, they could do anything with the site they want though what we usually see is that a malicious plugin will be uploaded which contains a backdoor.
Unfortunately, Patchstack reports that the flaws are being abused when writing this, so applying the available patches should be treated with the utmost priority by website owners and administrators.