Hackers are actively exploiting two critical-severity vulnerabilities within the Houzez theme and plugin for WordPress, two premium add-ons used primarily in actual property web sites.

The Houzez theme is a premium plugin that prices $69, providing simple itemizing administration and a easy buyer expertise. The seller’s web site claims it’s serving over 35,000 clients in the actual property trade.

The 2 vulnerabilities had been found by Patchstack’s risk researcher Dave Jong and reported to the theme’s vendor, ‘ThemeForest,’ with one flaw mounted in model 2.6.4 (August 2022) and the opposite in model 2.7.2 (November 2022).

Nevertheless, a brand new Patchstack report warns that some web sites haven’t utilized the safety replace, and risk actors actively exploit these older flaws in ongoing assaults.

Abused to take management of websites

The primary Houzez flaw is tracked as CVE-2023-26540 and has a severity score of 9.8 out of 10.0 per the CVSS v3.1 commonplace, categorizing it as a vital vulnerability.

It is a safety misconfiguration impacting the Houzez Theme plugin model 2.7.1 and older and might be exploited remotely with out requiring authentication to carry out privilege escalation.

The model that fixes the issue is Houzez theme 2.7.2 or later.

The second flaw has obtained the identifier CVE-2023-26009, and it is also rated vital (CVSS v3.1: 9.8), impacting the Houzes Login Register plugin.

It impacts variations 2.6.3 and older, permitting unauthenticated attackers to carry out privilege escalation on websites utilizing the plugin.

The model that addresses the safety risk is Houzez Login Register 2.6.4 or later.

Dave Jong instructed BleepingComputer that risk actors exploit these vulnerabilities by sending a request to the endpoint that listens for account creation requests.

Resulting from a validation verify bug on the server aspect, the request might be crafted to create an administrator consumer on the location, permitting the attackers to take full management over the WordPress web site.

Within the assaults noticed by Patchstack, the risk actors uploaded a backdoor able to executing instructions, injecting advertisements on the web site, or redirecting visitors to different malicious websites.

“For the reason that desired consumer position might be supplied by the consumer, however isn’t validated correctly on the server aspect, it may be set to the “administrator” worth in an effort to create a brand new account that has the administrator consumer position,” PatchStack researcher D. Jong instructed BleepingComputer.

“After this, they might do something with the location they need although what we often see is {that a} malicious plugin will probably be uploaded which accommodates a backdoor. 

Sadly, Patchstack stories that the failings are being abused when scripting this, so making use of the obtainable patches must be handled with the utmost precedence by web site house owners and directors.