Two security vulnerabilities have been discovered in the Houzez WordPress theme and its associated Login Register plugin, which are widely used in the real estate sector and currently counts for 46,000 sales.
Discovered by PatchStack, these flaws, now patched, could allow unauthorized users to escalate their privileges, potentially compromising entire WordPress sites.
The primary issue was an unauthenticated privilege escalation vulnerability within the Houzez theme. This flaw enabled unauthenticated users to gain elevated privileges by executing specific HTTP requests.
The vulnerability stemmed from inadequate authorization checks in the code that processes user input. Specifically, the function responsible for password resets did not verify if the user requesting the reset was the account owner, allowing anyone to change passwords indiscriminately. This vulnerability has been assigned CVE-2024-22303.
“The page included a nonce check, but any user with a Subscriber role can fetch the nonce, and if the plugin enables registration, anyone could register to get the nonce token,” PatchStack explained.
Read more on WordPress security: WordPress Plugins at Risk From Polyfill Library Compromise
Additionally, the Houzez Login Register plugin exhibited similar weaknesses. It allowed unauthenticated users to modify email addresses associated with any user account, which could lead to account takeovers. This vulnerability has been designated CVE-2024-21743. The plugin’s function for updating user information lacks proper checks, enabling attackers to exploit it easily.
To address these vulnerabilities, the vendor has released updates for both the Houzez theme and the Login Register plugin, urging users to upgrade to version 3.3.0 or higher. The updates include enhanced role checks and the removal of the vulnerable function from the plugin.
“Supplying user input to functions like wp_update_user(), update_user_meta() or similar functions should only be allowed under strict whitelisting options,” PatchStack warned. “Otherwise, the values should be checked and set by the vendor according to the right privilege levels.”