Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez for WordPress theme and plugin, two premium add-ons used primarily in real estate websites.

The Houzez theme is a premium plugin that costs $69, offering easy listing management and a smooth customer experience. The seller’s site claims to serve more than 35,000 clients in the real estate industry.

Both vulnerabilities were discovered by Patchstack threat researcher Dave Jong and reported to the theme provider, “ThemeForest”, with one flaw patched in version 2.6.4 (August 2022) and the other in version 2.7.2 (November 2022).

However, a new Patchstack report warns that some websites have failed to apply the security update and threat actors are actively exploiting these old flaws in ongoing attacks.

Abused to take control of sites

The first Houzez fault is followed as CVE-2023-26540 and has a severity rating of 9.8 out of 10.0 according to the CVSS v3.1 standard, categorizing it as a critical vulnerability.

This is a security misconfiguration affecting the Houzez Theme plugin version 2.7.1 and earlier and can be exploited remotely without requiring authentication to perform privilege escalation.

The version that fixes the problem is Houzez theme 2.7.2 or later.

The second flaw received the id CVE-2023-26009and it is also classified as critical (CVSS v3.1: 9.8), impacting the Houzes Login Register plugin.

This affects versions 2.6.3 and earlier, allowing unauthenticated attackers to perform privilege escalation on sites using the plugin.

The version that addresses the security threat is Houzez Login Register 2.6.4 or later.

Dave Jong told BleepingComputer that threat actors exploit these vulnerabilities by sending a request to the endpoint that listens for account creation requests.

Due to a server-side validation check bug, the request can be crafted to create an administrator user on the site, allowing attackers to take full control of the WordPress site.

In the attacks observed by Patchstack, the threat actors downloaded a backdoor capable of executing commands, injecting advertisements into the website, or redirecting traffic to other malicious sites.

“Since the desired user role may be provided by the user, but is not validated properly on the server side, it may be set to the value ‘administrator’ to create a new account with the role administrator user,” said a PatchStack researcher. D. Jong told BleepingComputer.

“After that they could do anything with the site they want although what we usually see is that a malicious plugin will be downloaded which contains a backdoor.

Unfortunately, Patchstack reports that flaws are being abused while writing this, so applying available patches should be treated with the highest priority by website owners and administrators.