Critical Flaws in Houzez Theme Put 46,000+ WordPress Sites at Risk

Two vulnerabilities were discovered in the Houzez theme for WordPress and its associated plugin, Login Register, posing a threat to the security of over 46,000 websites.

Researchers from PatchStack identified that these security flaws enable attackers to gain unauthorized access and elevate their privileges on a site. Although these issues have since been patched, they may still endanger WordPress sites that have not yet updated the aforementioned extensions to the latest version.

The primary vulnerability is a privilege escalation flaw in the Houzez theme. It allows unauthenticated attackers to access administrative functions by sending specific HTTP requests. The issue arises from insufficient access control checks when processing user data, particularly during password resets. This vulnerability has been assigned CVE-2024-22303.

PatchStack experts explain that while nonce token validation was present in the affected versions, any user with the role of “Subscriber” could obtain the token. If registration was enabled on the site, an attacker could create an account and acquire the token necessary to reset passwords.

Additionally, a similar issue was found in the Login Register plugin. The vulnerability, designated CVE-2024-21743, allows unauthorized users to change the email addresses of other accounts, potentially leading to account takeover.

To address these security concerns, the developers released patches for both Houzez and Login Register. Users are advised to update to version 3.3.0 or higher, where additional role checks were implemented, and the vulnerable function was removed.

PatchStack also emphasizes the importance of stringent user data validation when using WordPress functions like wp_update_user() and update_user_meta().