Apps Development and Hosting Platform | IT Company Australia

WordPress Houzez theme weaknesses used to takeover websites

March 1, 2023
News
,
0

Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez WordPress theme and plugin, mostly utilized in real estate websites.

The theme is a plugin that provides easy listing administration and a pleasant client experience. According to the vendor’s website, it serves clients in the real estate business.

The security service website uncovered the two vulnerabilities and submitted them to the theme’s publisher, ‘ThemeForest,’ with one weakness addressed in version 2.6.4 (August 2022) and the other in version 2.7.2. (November 2022).

But, according to a new Patchstack analysis, some websites have not installed the security update. In addition, threat actors are actively exploiting these earlier flaws in current assaults.

Abuse of website to gain power

The first Houzez bug is identified as CVE-2023-26540 and has a CVSS v3.1 severity rating of 9.8 out of 10.0. Thus, classifying it as a critical vulnerability.

It’s a security flaw that affects Houzez Theme plugin versions 2.7.1 and older. Moreover, it can be abused remotely to conduct privilege escalation without needing authentication. Houzez theme 2.7.2 or later is the version that resolves the issue.

The second vulnerability is CVE-2023-26009, and it is likewise rated critical (CVSS v3.1: 9.8), affecting the Houzes Login Registration plugin.

It affects versions 2.6.3 and earlier, allowing unauthenticated attackers to escalate privileges on sites that use the plugin. Houzez Login Registration 2.6.4 or later is the version that addresses the security threat.

Security experts claim hackers exploit these vulnerabilities by submitting a request to the endpoint that listens for account creation requests.

Because of a server-side validity check issue, the request may be designed to establish an administrator user on the site. This allows the attackers to take total control of the WordPress hosts sites.

Cybersecurity websites saw threat actors uploading a backdoor capable of executing instructions. Furthermore, inserting advertising on the website, or routing visitors to other malicious sites in the assaults studied.

Following this, they might do whatever with the site they want. However, generally, researchers found that a malicious plugin was published which has a backdoor.

Regrettably, Patchstack states that the flaws are being exploited when writing this. Therefore, website owners and administrators should prioritize implementing the available fixes.

Hey, like this? Why not share it with a buddy?

Related Posts

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Popular TAGS

Latest Posts

Business

Transfer a Domain Name: Everything you need to know

Business

Google cautions consumers of Android device remote issues

News

Google adds another AI dollop to Workspace

Articles

Cyber Insurance: Strengthening Cyber Defenses

Cloud Services

Cloud costs management is more difficult than ever

News

Businesses: Stop employing the worst passwords imaginable

Business

Discover Dark Data Challenges in Your Business

News

Email security is more concerning for organizations

Articles

PoC for a major Microsoft Word RCE problem revealed

Hosting

Your Ultimate Guide to Choosing the Right Web Hosting Solution

News

Google Cloud storage is not as secure as we believe

Articles

Web and Mobile Applications Essential Elements

Cloud Services

Cloud expenditure is increasing again as enterprise budgets expand

News

WordPress Houzez theme weaknesses used to takeover websites

Articles

Email Security: Protecting Your Communications in a Digital Age

Articles

Cloud: Most businesses have a misconfiguration problem

Articles

Mozilla: Most popular Android apps are not private

Articles

Gmail IMAP sync issues that are affecting Outlook users

Articles

Stealc malware with a variety of stealing capabilities emerges

News

Hotmail: The latest spam failure is Microsoft’s difficulty

0
Would love your thoughts, please comment.x
()
x