Critical Vulnerabilities in WordPress Houzez Plugin Allow Hack of the Website

WordPress Houzez plugin
Written by Carina Wilson

According to a new Patchstack report, hackers are actively exploiting 2 critical vulnerabilities in the Houzez plugin for WordPress, used primarily on real estate websites.

Let me remind you that we also wrote that E-Commerce Software Developer FishPig Hacked in a Massive Supply Chain Attack, and also that Fast Company Hacker Says ‘Anyone Could Have Done It’.

Information security specialists said that Hackers Scanned 1.6 Million WordPress Sites Looking for a Vulnerable Plugin.

Houzez is a premium plan plugin that offers easy ad management and seamless customer service. The manufacturer’s website claims that it serves over 35,000 real estate clients.

The bugs were discovered by Patchstack threat researcher Dave Jong, who also reported them to theme developer ThemeForest. One of them was fixed in version 2.6.4 in August 2022, and the other in version 2.7.2 in November 2022.

The Patchstack report warns that some websites have not applied the security update, and threat actors are actively exploiting these flaws in ongoing attacks. And at the moment, a large number of attacks come from the IP address 103.167.93.138.

  1. CVE-2023-26540 (CVSS: 9.8) is related to a security misconfiguration and can be used remotely by an unauthorized hacker to elevate privileges. The problem affects the Houzez plugin version 2.7.1 and higher. The fix is available in Houzez 2.7.2 or later.
  2. CVE-2023-26009 (CVSS: 9.8) allows an unauthenticated attacker to elevate privileges. Affects the Houzes Login Register plugin version 2.6.3 and higher. The fix is available in Houzez Login Register version 2.6.4 or later.

According to Jong, hackers exploit these vulnerabilities by sending a request to an endpoint that listens for account creation requests. Due to a bug in server-side validation, the request can be crafted to create an admin user on the site, allowing the attacker to take full control of the WordPress site.

In the attacks seen by Patchstack, the attackers uploaded a backdoor capable of executing commands, placing ads on the site, or redirecting traffic to other malicious sites. After that, cybercriminals can do whatever they want with the site, but they usually download a malicious plugin that contains a backdoor.

About the author

Carina Wilson

With over 10 years' experience of writing for online and print media, I'm an expert in delivering clear and compelling copy.

I've written for a leading SEO copywriting agency as well as writing for some of the UK’s best known brands, magazines and newspapers.

Leave a Comment