Thousands of WordPress sites have been exposed to potential threats due to vulnerabilities in the Houzez theme and WordPress Houzez Login Register plugin.
The flaw is identified as CVE-2024-22303 and CVE-2024-21743. It affects versions up to 3.2.4 and 3.2.5 and is classified as a high-priority issue with a CVSS score of 8.8, indicating significant risk.
CVE-2024-22303 – WordPress Houzez Theme Vulnerability
The vulnerability allows privilege escalation, enabling malicious actors to elevate their access from low-privileged accounts to higher privileges.
This could potentially lead to complete control over the affected website. The issue is categorized under the OWASP Top 10 as A5: Security Misconfiguration.
Patch and Mitigation
Patchstack has released a virtual patch to mitigate this vulnerability until users can update to the fixed version, 3.3.0. Website administrators are strongly advised to update immediately to prevent exploitation.
| Details | Information |
| Software | Houzez |
| Type | Theme |
| Vulnerable Versions | <= 3.2.4 |
| Fixed in Version | 3.3.0 |
| Patch Priority | High |
| CVSS Severity | High (8.8) |
| Published Date | 17 September 2024 |
CVE-2024-21743 – WordPress Houzez Login Register Plugin
The vulnerability allows for privilege escalation, potentially enabling attackers to elevate their access from a low-privileged account to higher privileges, which could result in complete control over the affected website.
This issue is categorized under the OWASP Top 10 as A5: Security Misconfiguration.
Download Free Incident Response Plan Template for Your Security Team – Free Download
Patch and Mitigation
Patchstack has provided a virtual patch to mitigate this vulnerability until users can update to the fixed version, 3.3.0. Website administrators must update immediately to prevent potential exploitation.
| Details | Information |
| Software | Houzez Login Register |
| Type | Plugin |
| Vulnerable Versions | <= 3.2.5 |
| Fixed in Version | 3.3.0 |
| Patch Priority | High |
| CVSS Severity | High (8.8) |
| Published Date | 17 September 2024 |
Risks and Recommendations
The vulnerability’s high severity suggests it could be widely exploited if not addressed promptly. Administrators should prioritize updating their sites to version 3.3.0 or later and consider using Patchstack for automatic mitigation.
This incident highlights the importance of maintaining up-to-date software and implementing robust security measures to protect digital assets from evolving threats.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial