CVE-2026-57768

favethemes · Houzez Login Register

The Houzez Login Register plugin for WordPress contains an incorrect privilege assignment vulnerability, allowing unauthenticated attackers to escalate privileges.

Executive summary

An unauthenticated privilege escalation vulnerability in the Houzez Login Register plugin allows attackers to gain unauthorized elevated access to the WordPress environment.

Vulnerability

The plugin improperly handles user registration or login processes, permitting an unauthenticated attacker to assign themselves higher privileges than intended, effectively bypassing standard access controls.

Business impact

The CVSS score of 8.2 highlights the severe impact of privilege escalation. An attacker gaining administrative or elevated access could take full control of the WordPress site, leading to complete data compromise, content manipulation, or the installation of malicious software.

Remediation

Immediate Action: Update the Houzez Login Register plugin to the latest patched version once available; if no patch exists, disable or remove the plugin to prevent unauthorized privilege escalation.

Proactive Monitoring: Audit user account lists for newly created or modified accounts with elevated roles that appear suspicious or lack proper authorization.

Compensating Controls: Use a Web Application Firewall (WAF) to monitor for malicious registration requests or unusual traffic patterns hitting the plugin's login/registration endpoints.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability represents a critical risk to site integrity and administrative control. If a patch is not immediately available, the plugin should be disabled to prevent potential account takeovers. Administrators should prioritize verifying current user roles to ensure no unauthorized escalations have already occurred.