Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Active Exploitation of Critical Vulnerabilities in WordPress Plugin Houzez
Alerts

Active Exploitation of Critical Vulnerabilities in WordPress Plugin Houzez

28 February 2023

There have been recent reports of active exploitation of two critical vulnerabilities (CVE-2023-26540 and CVE-2023-26009) affecting Houzez, a WordPress plugin. Both vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10. 

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to gain admin privileges and take full control of the affected website. 

The following versions of the Houzez plugin are affected:

  • Versions 2.7.1 and earlier for CVE-2023-26540 

  • Versions 2.6.3 and earlier for CVE-2023-26009

Users and administrators of affected product versions are advised to upgrade to the latest version immediately.

More information is available here:

https://patchstack.com/database/vulnerability/houzez/wordpress-houzez-theme-2-7-1-privilege-escalation

https://patchstack.com/database/vulnerability/houzez-login-register/wordpress-houzez-login-register-plugin-2-6-3-privilege-escalation

https://www.bleepingcomputer.com/news/security/critical-flaws-in-wordpress-houzez-theme-exploited-to-hijack-websites/

Back to top