Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez WordPress theme and plugin, mostly utilized in real estate websites.

The theme is a plugin that provides easy listing administration and a pleasant client experience. According to the vendor’s website, it serves clients in the real estate business.

The security service website uncovered the two vulnerabilities and submitted them to the theme’s publisher, ‘ThemeForest,’ with one weakness addressed in version 2.6.4 (August 2022) and the other in version 2.7.2. (November 2022).

But, according to a new Patchstack analysis, some websites have not installed the security update. In addition, threat actors are actively exploiting these earlier flaws in current assaults.

Abuse of website to gain power

The first Houzez bug is identified as CVE-2023-26540 and has a CVSS v3.1 severity rating of 9.8 out of 10.0. Thus, classifying it as a critical vulnerability.

It’s a security flaw that affects Houzez Theme plugin versions 2.7.1 and older. Moreover, it can be abused remotely to conduct privilege escalation without needing authentication. Houzez theme 2.7.2 or later is the version that resolves the issue.

The second vulnerability is CVE-2023-26009, and it is likewise rated critical (CVSS v3.1: 9.8), affecting the Houzes Login Registration plugin.

It affects versions 2.6.3 and earlier, allowing unauthenticated attackers to escalate privileges on sites that use the plugin. Houzez Login Registration 2.6.4 or later is the version that addresses the security threat.

Security experts claim hackers exploit these vulnerabilities by submitting a request to the endpoint that listens for account creation requests.

Because of a server-side validity check issue, the request may be designed to establish an administrator user on the site. This allows the attackers to take total control of the WordPress hosts‘ sites.

Cybersecurity websites saw threat actors uploading a backdoor capable of executing instructions. Furthermore, inserting advertising on the website, or routing visitors to other malicious sites in the assaults studied.

Following this, they might do whatever with the site they want. However, generally, researchers found that a malicious plugin was published which has a backdoor.

Regrettably, Patchstack states that the flaws are being exploited when writing this. Therefore, website owners and administrators should prioritize implementing the available fixes.