Security News > 2023 > February > Critical flaws in WordPress Houzez theme exploited to hijack websites
Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites.
The Houzez theme is a premium plugin that costs $69, offering easy listing management and a smooth customer experience.
A new Patchstack report warns that some websites have not applied the security update, and threat actors actively exploit these older flaws in ongoing attacks.
The first Houzez flaw is tracked as CVE-2023-26540 and has a severity rating of 9.8 out of 10.0 per the CVSS v3.1 standard, categorizing it as a critical vulnerability.
It's a security misconfiguration impacting the Houzez Theme plugin version 2.7.1 and older and can be exploited remotely without requiring authentication to perform privilege escalation.
Due to a validation check bug on the server side, the request can be crafted to create an administrator user on the site, allowing the attackers to take complete control over the WordPress site.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-05-17 | CVE-2023-26540 | Improper Privilege Management vulnerability in Favethemes Houzez allows Privilege Escalation.This issue affects Houzez: from n/a through 2.7.1. | 0.0 |