Vulnerability In Houzez Theme Exploited in The Wild

Published 27 February 2023
Table of Contents

There is a security vulnerability in Houzez Theme that is exploited in the wild. The vulnerability in Houzez Theme is an Unauthenticated Privilege Escalation vulnerability.

✌️ Our users are protected from this vulnerability. Are yours?

Web developers

Automatically mitigate vulnerabilities in real-time without changing code.

See pricing
Plugin developers

Identify vulnerabilities in your plugins and get recommendations for fixes.

Request audit
Hosting companies

Protect your users, improve server health and earn additional revenue.

Patchstack for hosts

The Houzez theme is a premium theme sold on ThemeForest and has over 35,000 sales. It's described as a theme specifically designed for the real estate industry. It offers easy-to-use tools that will allow you to manage your agency’s content and listings while providing the best possible experience for your clients.

vulnerability in Houzez Theme

We have been tracking exploits targeting a critical severity unauthenticated privilege escalation vulnerability in this theme and its related plugin.

The vulnerability in Houzez Theme

These vulnerabilities were discovered by Dave Jong and also responsibly disclosed to the plugin developer, and these vulnerabilities have since been fixed which can be seen in the links to the Patchstack vulnerability database entries below.

Houzez Theme Vulnerability <= 2.7.1, fixed in 2.7.2
WordPress Houzez theme <= 2.7.1 - Privilege Escalation - Patchstack

Houzez Login Register Vulnerability <= 2.6.3, fixed in 2.6.4
WordPress Houzez Login Register plugin <= 2.6.3 - Privilege Escalation - Patchstack

The privilege escalation vulnerability is located in the theme itself and one of its plugins. The theme itself provides registration functionality (must be turned on in the settings) which also allows the user to provide the user role they want to sign up with.

Unfortunately, this could be set to an administrator to instantly get administrator privileges on the WordPress site.

The same vulnerability exists in the Houzez Login Register plugin.

Exploited in the wild

The vulnerability in the theme and plugin is currently exploited in the wild and has seen a large number of attacks from the IP address 103.167.93.138 at the time of writing.

We will keep monitoring exploitation attempts and update this blog if more information becomes available.

🤝 You can help us make the Internet a safer place

Plugin developer?

Streamline your disclosure process to fix vulnerabilities faster and comply with CRA.

Get started for free
Hosting company?

Protect your users too! Improve server health and earn added revenue with proactive security.

Patchstack for hosts
Security researcher?

Report vulnerabilities to our gamified bug bounty program to earn monthly cash rewards.

Learn more

The latest in Security Advisories

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu