Researchers have found two high-severity vulnerabilities in a well-liked WordPress (opens in new tab) theme and plugin that might enable risk actors to utterly take over the affected web sites.

Cybersecurity consultants from Patchstack uncovered two flaws in a premium add-on used principally for real-estate web sites. The $69 theme known as Houzez, and reportedly has greater than 35,000 clients. 

The 2 vulnerabilities at the moment are tracked as CVE-2023-26540 and CVE-2023-26009. Each are rated 9.8 – essential, and each enable for the elevation of privileges, from a distant location – no authentication required. 

Used within the wild

To make issues even worse – each are being actively used within the wild.

“The vulnerability within the theme and plugin is at present exploited within the wild and have seen numerous assaults from the IP handle 103.167.93.138 on the time of writing,” Patchstack warned.

The failings are hardly new, too. Roughly half a yr in the past, after the researchers first reached out to the theme’s vendor – ThemeForest – a patch for one of many flaws was launched, bringing the theme as much as model 2.6.4. In November final yr, the seller patched the second flaw as effectively, bringing Houzez to model 2.7.2.

As ordinary, customers are suggested to use the patch instantly and keep away from the chance of being focused by cybercriminals. 

WordPress is the world’s hottest web site internet hosting platform, and as such, is a well-liked goal for hackers. However the platform is usually perceived as safe – it’s the numerous themes and add-ons that hackers typically handle to use. 

The themes and add-ons, which could be acquired both immediately through WordPress, or via vendor web site, provide mainly infinite customization choices. They’re cut up into free and industrial classes, and whereas paid choices are normally ceaselessly up to date and maintained, free variations are generally deserted. That being mentioned, they don’t get the required patches on time and supply hackers with ample alternatives to compromise the web site, steal its information, redirect guests elsewhere, and do all different types of malicious actions. 

• This is our checklist of the very best endpoint safety (opens in new tab) instruments proper now

Through: BleepingComputer (opens in new tab)