Threat groups are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress. The $69 add-on theme offers easy listing management and smooth customer interface. The plugin is used by roughly 35,000 websites within the real estate sector. The first vulnerability, tracked as CVE-2023-26540, has a critical rating and is a security misconfiguration that allows privilege escalation without authentication; the vulnerability can be exploited remotely. The second flaw, tracked as CVE-2023-26009, also received a critical rating and allows unauthenticated attackers to perform privilege escalation on sites which have deployed the Housez plugin.
The company that has developed the theme was made aware of attacks that were being carried out in the wild and has provided updates to the theme and login register. The theme that is not vulnerable to this bug is version 2.7.2 and later, which will prevent the first vulnerability. The second vulnerability can be mitigated by ensuring the login register is running version 2.6.4 or later. Anyone running the Houzez theme and plugin should ensure that they are updated past the vulnerable version to prevent themselves from becoming a victim of this attack.