Researchers have discovered two serious vulnerabilities in the popular WordPress (opens in a new tab) theme and plugin that could allow cybercriminals to take complete control of affected websites.
Cybersecurity experts at Patchstack discovered two vulnerabilities in a premium add-on mainly used on real estate websites. The $69 theme is called Houzez and reportedly has over 35,000 customers.
These two vulnerabilities are now tracked as CVE-2023-26540 and CVE-2023-26009. Both have a 9.8 Critical rating and both allow you to elevate privileges from a remote location – no authentication required.
Used in the wild
Even worse, both are actively used in the natural environment.
“The theme and plugin vulnerability is currently being exploited in the wild and at the time of writing has witnessed multiple attacks from the IP address 184.108.40.206,” Patchstack warned.
The disadvantages are not new either. About half a year ago, after researchers first contacted the theme provider, ThemeForest, a patch was released to fix one of the vulnerabilities, bringing the theme up to version 2.6.4. Last November, the vendor also patched a second vulnerability by rolling out Houzez to version 2.7.2.
As usual, users are advised to install the patch immediately to avoid the risk of being targeted by cyber criminals.
WordPress is the world’s most popular website hosting platform and as such is a popular target for hackers. But the platform is generally perceived as safe – there are countless themes and add-ons that hackers can often take advantage of.
Themes and add-ons, which can be purchased directly through WordPress or via the provider’s website, offer basically endless customization options. They are divided into free and commercial categories, and while the paid options are usually updated and maintained frequently, the free versions are sometimes dropped. That said, they don’t get the necessary fixes in time and provide ample opportunities for hackers to break into your website, steal its data, redirect visitors elsewhere, and perform all sorts of malicious activities.
By: Beeping Computer (opens in a new tab)