WordPress Houzez theme weaknesses used to takeover websites

Published March 1, 2023
Author: Ash Khan

WordPress Houzez theme weaknesses used to takeover websites

Published March 1, 2023
Author: Ash Khan

Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez WordPress theme and plugin, mostly utilized in real estate websites.

The theme is a plugin that provides easy listing administration and a pleasant client experience. According to the vendor’s website, it serves clients in the real estate business.

The security service website uncovered the two vulnerabilities and submitted them to the theme’s publisher, ‘ThemeForest,’ with one weakness addressed in version 2.6.4 (August 2022) and the other in version 2.7.2. (November 2022).

But, according to a new Patchstack analysis, some websites have not installed the security update. In addition, threat actors are actively exploiting these earlier flaws in current assaults.

Abuse of website to gain power

The first Houzez bug is identified as CVE-2023-26540 and has a CVSS v3.1 severity rating of 9.8 out of 10.0. Thus, classifying it as a critical vulnerability.

It’s a security flaw that affects Houzez Theme plugin versions 2.7.1 and older. Moreover, it can be abused remotely to conduct privilege escalation without needing authentication. Houzez theme 2.7.2 or later is the version that resolves the issue.

The second vulnerability is CVE-2023-26009, and it is likewise rated critical (CVSS v3.1: 9.8), affecting the Houzes Login Registration plugin.

It affects versions 2.6.3 and earlier, allowing unauthenticated attackers to escalate privileges on sites that use the plugin. Houzez Login Registration 2.6.4 or later is the version that addresses the security threat.

Security experts claim hackers exploit these vulnerabilities by submitting a request to the endpoint that listens for account creation requests.

Because of a server-side validity check issue, the request may be designed to establish an administrator user on the site. This allows the attackers to take total control of the WordPress hosts sites.

Cybersecurity websites saw threat actors uploading a backdoor capable of executing instructions. Furthermore, inserting advertising on the website, or routing visitors to other malicious sites in the assaults studied.

Following this, they might do whatever with the site they want. However, generally, researchers found that a malicious plugin was published which has a backdoor.

Regrettably, Patchstack states that the flaws are being exploited when writing this. Therefore, website owners and administrators should prioritize implementing the available fixes.

Post Views: 185
0

Popular Tags

API Integration Branding Services Business Cloud Backup storage cloud storage Cloud VPS Server Hosting Database Services Digital Marketing eBay Store Email Hosting Email Marketing & CRM Email security Explainer Video Facebook Ads Fast Vpn FTP hosting GMAIL Google Ads Google Workspace hacked website repair IT Support Services Linux Managed AWS Cloud Managed Azure Cloud Microsoft 365 Microsoft Office 365 Microsoft Teams Integration mobile apps Outlook email Reseller Hosting SEO Services Server Management SIM Hosting Service SMS Services Social Media Marketing SQL Services Transfer Domain Name Vulnerability Assessment web applications Web Hosting Web Maintenance Website Designing website repair services Website Security Wordpress Hosting

Latest Posts