Two critical severity vulnerabilities in the popular WordPress Houzez theme and plugin allow threat actors to take over the affected websites completely.
Two critical severity vulnerabilities in the popular WordPress Houzez theme and plugin allow threat actors to take over the affected websites completely.
Two flaws are in premium add-ons, primarily used in real estate websites. The Houzez theme is a plugin that costs $69, offers easy listing management and a smooth customer experience, and has over 35,000 customers.
Patchstack's threat researcher Dave Jong discovered the two vulnerabilities and reported them to the theme's vendor, 'ThemeForest', with one flow fixed in version 2.6.4(August 2022) and the other in version 2.7.2(November 2022).
The vulnerability is tracked as CVE-2023-26540 and CVE-2023-26009. And have a severity rating of 9.8 out of 10.0, categorising them as critical vulnerabilities. Both can be exploited remotely without requiring authentication to perform privilege escalation.
Patchstack report warns that some websites haven't applied the security update, and threat actors can exploit the older flaws in ongoing attacks.
"The vulnerability in the theme and plugin is currently exploited in the wild and has seen many attacks from the IP address 103.167.93.138 at the time of writing." -Patchstack.
Attackers can exploit the vulnerability by sending a request to the endpoint, which listens for account creation requests, said Dave Jong to Bleeping Computer.
Due to the validation check bug on the server side, the request will allow the creation of an administrator user on the site, by which the attacker gets complete control over the WordPress site.
Attackers also created a backdoor for injecting ads on the website, executing commands, or redirecting traffic to other malicious sites.
As the flaws are being abused, applying the available patches should be treated with the utmost priority by website owners and administrators.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?