vulnerability

WordPress Theme: houzez: CVE-2023-26540: Incorrect Privilege Assignment

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Feb 27, 2023	Dec 8, 2025	Dec 8, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Feb 27, 2023

Added

Dec 8, 2025

Modified

Dec 8, 2025

Description

The Houzez theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.7.1. This is due to improper assignment of privileges on user management/registration that allows users to supply their own role via the houzez_change_user_role and houzez_register_user_with_membership AJAX actions. This makes it possible for unauthenticated attackers to register as administrators on vulnerable sites.

Solution

houzez-theme-cve-2023-26540

References

URL-https://www.cve.org/CVERecord?id=CVE-2023-26540
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/0578f4d1-5953-4fbe-8bc3-0569bee57a1a?source=api-prod
CVE-2023-26540
https://attackerkb.com/topics/CVE-2023-26540
CWE-269

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today