A security researcher reported that hackers are actively exploiting vulnerabilities in the Houzez theme and another plugin on the WordPress content management platform, two premium plugins primarily used on real estate websites.
Hoozies is a $69 premium add-on that offers easy listing management and transparent customer service. The add-on developer claims to serve over 35,000 real estate clients.
Both vulnerabilities were discovered by Patchstack threat researcher Dave Jung, who reported the first vulnerability patched by version 2.6.4 released last August and another vulnerability patched by version 2.7..2 to vendor ThemeForset Plugins, available at November 2022.
However, the patch report warns that some websites have not yet implemented security updates, allowing attackers to effectively exploit both vulnerabilities.
(Bachstack) said: "Vulnerabilities in themes and plugins are currently being exploited, and at the time of writing we have observed a large number of attacks originating from the IP address 103.167.93.138."
The first vulnerability (Hawzis) is tracked as CVE-2023-26540 and has a severity of 9.8 out of 10 in the CVSS 3.1 benchmark, making it a very serious vulnerability. Another tracked vulnerability such as CVE-2023-26009 also has a severity of 9.8 out of 10.
Dave told BleepingComputer that attackers exploit these vulnerabilities by sending requests to the endpoints responsible for responding to account creation requests.
Due to an authentication error on the server side, the admin user may be prompted to be created on the website, giving the attacker full control of the WordPress website.
In the attacks Patchstack observed, the attackers installed a backdoor capable of executing commands, injecting ads into websites, or redirecting traffic to other malicious websites.
Unfortunately, PatchStack reports that both vulnerabilities are now being exploited, so website owners and administrators should apply available patches with the highest priority.