CVE-2025-9191
BaseFortify
Publication date: 2025-11-26
Last updated on: 2025-11-26
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| houzez | theme | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Houzez WordPress theme up to version 4.1.6 is vulnerable to PHP Object Injection through deserialization of untrusted input in the saved-search-item.php file. Authenticated users with Subscriber-level access or higher can inject PHP objects. However, this vulnerability only has an impact if another plugin or theme with a PHP Object Injection POP chain is installed, which could then allow actions like deleting files, retrieving sensitive data, or executing code.
How can this vulnerability impact me? :
If your WordPress site uses the Houzez theme up to version 4.1.6 and also has another plugin or theme installed that contains a PHP Object Injection POP chain, an attacker with Subscriber-level access could exploit this vulnerability to delete arbitrary files, access sensitive data, or execute arbitrary code on your site. Without such a POP chain present, the vulnerability has no impact.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Houzez WordPress theme to a version later than 4.1.6 where the issue is fixed. Additionally, review and remove any other plugins or themes that may contain POP chains, as the vulnerability requires a POP chain in another plugin or theme to be exploitable. Limit Subscriber-level access where possible and monitor for suspicious activity.