Active Exploitation of Critical Vulnerabilities in WordPress Plugin Houzez

Published on 28 Feb 2023 | Updated on 28 Feb 2023

There have been recent reports of active exploitation of two critical vulnerabilities (CVE-2023-26540 and CVE-2023-26009) affecting Houzez, a WordPress plugin. Both vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10. 

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to gain admin privileges and take full control of the affected website. 

The following versions of the Houzez plugin are affected:

  • Versions 2.7.1 and earlier for CVE-2023-26540 
  • Versions 2.6.3 and earlier for CVE-2023-26009

Users and administrators of affected product versions are advised to upgrade to the latest version immediately.


More information is available here:

https://patchstack.com/database/vulnerability/houzez/wordpress-houzez-theme-2-7-1-privilege-escalation

https://patchstack.com/database/vulnerability/houzez-login-register/wordpress-houzez-login-register-plugin-2-6-3-privilege-escalation

https://www.bleepingcomputer.com/news/security/critical-flaws-in-wordpress-houzez-theme-exploited-to-hijack-websites/