Two critical severity vulnerabilities in the Houzez theme and plugin for WordPress are actively being exploited to hijack websites. The vulnerabilities, tracked as CVE-2023-26540 and CVE-2023-26009 are both privilege escalation flaws having a CVSS severity rating of 9.8 out of 10, classifying them as critical threats that need immediate attention.
They were discovered by Patchstack threat researchers Dave Jong and were reported to the theme developer Themeforsest. They were subsequently fixed in version 2.6.4 released in August 2022 and version 2.7.2 released in November 2022.
However, the latest Patchstack report on the matter reveals that some websites haven’t installed the security updates yet, leaving them open to privilege escalation attacks in the wild. While there’s no word on who the actual threat actor(s) might be, Patchstack has seen a large number of attacks from the IP address 188.8.131.52 at the time of writing.
The first flaw, CVE-2023-26540, is a security misconfiguration in the Houzez theme plugin itself and the second flaw, CVE-2023-26009, impacts the Houzez login register plugin instead. The vulnerabilities can be exploited by sending a request to the account creation endpoint listener. These were fixed in version 2.7.1 and version 2.6.3 of the plugin respectively.
The plugin allows users to add new accounts with varying levels of access. Because of a validation check bug on the server side, a maliciously crafted request can create a new administrative user on the site, giving the threat actors complete control over the site’s Wordpress backend.
According to Patchstack, post-exploitation, the threat actors usually upload a malicious plugin post exploitation that installs a backdoor capable of executing commands in addition to injecting ads on the site and redirecting traffic to other malicious websites.