- The Houzez WordPress theme is a premium theme with over 35,000 sales on ThemeForest. It is thought to be a design established specifically for the real estate industry.
- Patchstack states that they have been tracking exploits targeting the Houzez theme and its accompanying plug-in for a critical severity unauthenticated privilege escalation vulnerability.
- The theme has registration functionality, which must be enabled in the settings, and allows the user to select the user role they want to acquire, which may be adjusted to administrator to gain instant administrator access to the WordPress site.
The Houzez theme is a premium WordPress theme that has over 35,000 sales on ThemeForest. It is regarded as a theme created exclusively for the real estate sector. It provides simple tools for managing users’ agency’s content and listings while offering a nice experience for their clients.
Patchstack reports that they have been tracking exploits targeting a critical severity unauthenticated privilege escalation vulnerability in this theme and its related plug-in.
Details on the vulnerability
PatchStack has rated two vulnerabilities with a CVSS score of 9.8 critical.
Both the theme and one of its plugins have a privilege escalation issue. The theme contains registration functionality, which must be enabled in the settings, and allows the user to choose whatever user role they want to acquire. Unfortunately, this may be changed to administrator with a special request in order to acquire quick administrator access to the WordPress site. Dave Jong from Patchstack discovered and reported this privilege escalation vulnerability in WordPress Houzez Login Register Plugin.
Fixes
- Update the WordPress Houzez Login Register plugin to the latest available version (at least 2.6.4).
- Update the WordPress Houzez theme to the latest available version (at least 2.7.2).