Vulnerabilities in WordPress Theme
The Houzez is a high-quality theme and plugin for WordPress from ThemeForesr, which is commonly utilized by real estate websites and has two high-risk vulnerabilities exploited by threat actors
- The first vulnerability tracked as CVE ID: CVE-2023-26540 with a CVSS Score: 9.8.
- The second vulnerability tracked as CVE ID: CVE-2023-26009 with a CVSS Score: 9.8
The first vulnerability was fixed in version 2.6.4, which was released in August 2022, and the second issue was resolved in version 2.7.2, which was released in November 2022.
The privilege escalation vulnerability has been found both in the theme itself as well as one of the plugins that are included in the theme. It is important to note that the Houzez Login Register plugin is also vulnerable to the same vulnerability.
A backdoor was uploaded by the threat actors in the attacks that enabled them to perform command execution, inject ads on the website, and redirect users to malicious site.
The website owners and administrators should prioritize the process of applying the available patches on priority.
This research was documented by a threat researcher from Patchstack named Dave Jong.