There is a security vulnerability in Houzez Theme that is exploited in the wild. The vulnerability in Houzez Theme is an Unauthenticated Privilege Escalation vulnerability.
The Houzez theme is a premium theme sold on ThemeForest and has over 35,000 sales. It's described as a theme specifically designed for the real estate industry. It offers easy-to-use tools that will allow you to manage your agency’s content and listings while providing the best possible experience for your clients.
We have been tracking exploits targeting a critical severity unauthenticated privilege escalation vulnerability in this theme and its related plugin.
The vulnerability in Houzez Theme
These vulnerabilities were discovered by Dave Jong and also responsibly disclosed to the plugin developer, and these vulnerabilities have since been fixed which can be seen in the links to the Patchstack vulnerability database entries below.
Houzez Theme Vulnerability <= 2.7.1, fixed in 2.7.2
WordPress Houzez theme <= 2.7.1 - Privilege Escalation - Patchstack
Houzez Login Register Vulnerability <= 2.6.3, fixed in 2.6.4
WordPress Houzez Login Register plugin <= 2.6.3 - Privilege Escalation - Patchstack
The privilege escalation vulnerability is located in the theme itself and one of its plugins. The theme itself provides registration functionality (must be turned on in the settings) which also allows the user to provide the user role they want to sign up with.
Unfortunately, this could be set to an administrator to instantly get administrator privileges on the WordPress site.
The same vulnerability exists in the Houzez Login Register plugin.
Exploited in the wild
The vulnerability in the theme and plugin is currently exploited in the wild and has seen a large number of attacks from the IP address 22.214.171.124 at the time of writing.
We will keep monitoring exploitation attempts and update this blog if more information becomes available.
Patchstack paid plan users are protected from the vulnerability. You can also sign up for the Patchstack Community plan to be notified about vulnerabilities as soon as they become disclosed.