Kritische Schwachstellen im WordPress-Houzez-Plugin ermöglichen das Hacken der Website

Marsch 1, 2023
von Carina Wilson
322 Ansichten
2 Min. gelesen

According to a new Patchstack report, hackers are actively exploiting 2 critical vulnerabilities in the Houzez plugin for WordPress, used primarily on real estate websites.

Ich möchte Sie daran erinnern, dass wir das auch geschrieben haben E-Commerce Software Developer FishPig Hacked in a Massive Supply Chain Attack, und auch das Fast Company Hacker Says ‘Anyone Could Have Done It’.

Information security specialists said that Hackers Scanned 1.6 Million WordPress Sites Looking for a Vulnerable Plugin.

Houzez is a premium plan plugin that offers easy ad management and seamless customer service. The manufacturer’s website claims that it serves over 35,000 real estate clients.

The bugs were discovered by Patchstack threat researcher Dave Jong, who also reported them to theme developer ThemeForest. One of them was fixed in version 2.6.4 in August 2022, and the other in version 2.7.2 in November 2022.

The Patchstack report warns that some websites have not applied the security update, Und threat actors are actively exploiting these flaws in ongoing attacks. And at the moment, a large number of attacks come from the IP address 103.167.93.138.

  1. CVE-2023-26540 (CVSS: 9.8) is related to a security misconfiguration and can be used remotely by an unauthorized hacker to elevate privileges. The problem affects the Houzez plugin version 2.7.1 and higher. The fix is available in Houzez 2.7.2 oder später.
  2. CVE-2023-26009 (CVSS: 9.8) allows an unauthenticated attacker to elevate privileges. Affects the Houzes Login Register plugin version 2.6.3 and higher. The fix is available in Houzez Login Register version 2.6.4 oder später.

According to Jong, hackers exploit these vulnerabilities by sending a request to an endpoint that listens for account creation requests. Due to a bug in server-side validation, the request can be crafted to create an admin user on the site, allowing the attacker to take full control of the WordPress site.

In the attacks seen by Patchstack, the attackers uploaded a backdoor capable of executing commands, placing ads on the site, or redirecting traffic to other malicious sites. Danach, cybercriminals can do whatever they want with the site, but they usually download a malicious plugin that contains a backdoor.

Über den Autor

Carina Wilson

Mit über 10 Jahrelange Erfahrung als Autorin für Online- und Printmedien, Ich bin ein Experte für die Bereitstellung klarer und überzeugender Texte.

Ich habe für eine führende Agentur für SEO-Texte und für einige der bekanntesten Marken Großbritanniens geschrieben, Zeitschriften und Zeitungen.

Alle Beiträge anzeigen

Hinterlasse einen Kommentar