Researchers have discovered two high-severity vulnerabilities in a popular WordPress theme and plugin that could allow threat actors to completely take over the affected websites.
Cybersecurity experts from Patchstack uncovered two flaws in a premium add-on used mostly for real-estate websites. The $69 theme is called Houzez, and reportedly has more than 35,000 customers.
The two vulnerabilities are now tracked as CVE-2023-26540 and CVE-2023-26009. Both are rated 9.8 - critical, and both allow for the elevation of privileges, from a remote location - no authentication required.
Used in the wild
To make matters even worse - both are being actively used in the wild.
“The vulnerability in the theme and plugin is currently exploited in the wild and have seen a large number of attacks from the IP address 188.8.131.52 at the time of writing,” Patchstack warned.
The flaws are hardly new, too. Roughly half a year ago, after the researchers first reached out to the theme’s vendor - ThemeForest - a patch for one of the flaws was released, bringing the theme up to version 2.6.4. In November last year, the vendor patched the second flaw as well, bringing Houzez to version 2.7.2.
As usual, users are advised to apply the patch immediately and avoid the risk of being targeted by cybercriminals.
WordPress is the world’s most popular website hosting platform, and as such, is a popular target for hackers. But the platform is generally perceived as secure - it’s the countless themes and add-ons that hackers often manage to exploit.
The themes and add-ons, which can be acquired either directly via WordPress, or through vendor website, offer basically infinite customization options. They are split into free and commercial categories, and while paid options are usually frequently updated and maintained, free versions are sometimes abandoned. That being said, they don’t get the necessary patches on time and provide hackers with ample opportunities to compromise the website, steal its data, redirect visitors elsewhere, and do all other sorts of malicious activities.
- Here's our list of the best endpoint protection tools right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.