WordPress Theme ‘Houzez’ and Associated Plugin Vulnerabilities Expose Thousands of Sites

by do son · Published September 23, 2024 · Updated September 28, 2024

Houzez theme - CVE-2024-22303 and CVE-2024-21743

Two critical vulnerabilities have been discovered in the widely-used WordPress theme Houzez and its companion plugin Houzez Login Register. With over 46,000 sales, Houzez is a popular choice for real estate agencies looking to manage content and property listings efficiently. The newly identified vulnerabilities could allow unauthorized users to take over WordPress sites running the theme, posing a severe risk to businesses and their clients.

CVE-2024-22303 (CVSS 8.8): Houzez Theme Privilege Escalation

Security researchers have uncovered an unauthenticated privilege escalation vulnerability in the Houzez theme. This flaw could enable any unauthenticated user to elevate their privileges and potentially take over a WordPress site by performing a series of HTTP requests.

The vulnerability exists because the code handling user input lacks proper authorization checks. While the theme includes a nonce check—a security measure to prevent unauthorized actions—any user with a Subscriber role can retrieve the nonce. If user registration is enabled on the site, even unauthenticated users can register and obtain the nonce token.

Moreover, the theme fails to verify whether the user invoking the houzez_ajax_password_reset action with a $userID parameter is the actual owner of that account. This oversight allows attackers to reset the password of any account, including administrator accounts.

CVE-2024-21743 (CVSS 8.8): Houzez Login Register Plugin Vulnerability

The required plugin Houzez Login Register, responsible for handling user registrations, is also affected by a privilege escalation vulnerability. The houzez_agency_agent_update action invokes the wp_update_user() function with user-supplied $agency_user_id and $useremail parameters.

This means that a user with a Subscriber role—or an unauthenticated user if registration is enabled—can change any user’s email address to one under the attacker’s control. Once the email is changed, the attacker can initiate a password reset, sending the reset link to themselves and effectively hijacking the account.

If your website uses the Houzez theme or the Houzez Login Register plugin, it is crucial to update the theme and the Houzez Login Register plugin to version 3.3.0 or higher.

For more detailed information, you can refer to the Patchstack advisories for CVE-2024-22303 and CVE-2024-21743.