This critical WordPress plugin flaw could let hackers hijack your website

Wordpress brand logo on computer screen. Man typing on the keyboard.
(Image credit: Shutterstock/David MG)

Researchers have discovered two high-severity vulnerabilities in a popular WordPress theme and plugin that could allow threat actors to completely take over the affected websites.

Cybersecurity experts from Patchstack uncovered two flaws in a premium add-on used mostly for real-estate websites. The $69 theme is called Houzez, and reportedly has more than 35,000 customers. 

The two vulnerabilities are now tracked as CVE-2023-26540 and CVE-2023-26009. Both are rated 9.8 - critical, and both allow for the elevation of privileges, from a remote location - no authentication required. 

Used in the wild

To make matters even worse - both are being actively used in the wild.

“The vulnerability in the theme and plugin is currently exploited in the wild and have seen a large number of attacks from the IP address at the time of writing,” Patchstack warned.

The flaws are hardly new, too. Roughly half a year ago, after the researchers first reached out to the theme’s vendor - ThemeForest - a patch for one of the flaws was released, bringing the theme up to version 2.6.4. In November last year, the vendor patched the second flaw as well, bringing Houzez to version 2.7.2.

As usual, users are advised to apply the patch immediately and avoid the risk of being targeted by cybercriminals. 

WordPress is the world’s most popular website hosting platform, and as such, is a popular target for hackers. But the platform is generally perceived as secure - it’s the countless themes and add-ons that hackers often manage to exploit. 

The themes and add-ons, which can be acquired either directly via WordPress, or through vendor website, offer basically infinite customization options. They are split into free and commercial categories, and while paid options are usually frequently updated and maintained, free versions are sometimes abandoned. That being said, they don’t get the necessary patches on time and provide hackers with ample opportunities to compromise the website, steal its data, redirect visitors elsewhere, and do all other sorts of malicious activities. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.