Description
Missing Authorization vulnerability in favethemes Houzez houzez.This issue affects Houzez: from n/a through <= 3.4.0.
Published: 2025-01-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Houzez WordPress theme is a missing authorization flaw that allows an attacker to bypass normal user permissions. As a result, an unauthenticated or low‑privileged user could gain access to functions reserved for administrators, thereby creating or modifying content or user accounts. This broken access control is classified as CWE‑862, indicating that the application does not properly validate that the requesting user is allowed to perform the operation.

Affected Systems

The problem affects sites that use the Favethemes Houzez theme, from initial release through version 3.4.0. Any WordPress installation that has the theme in place and has not applied a later release is potentially vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.3, indicating moderate severity. The EPSS score is less than 1%, so the probability of real‑world exploitation is low. The issue is not listed in the CISA KEV catalog. The likely attack path involves interacting with the theme’s web interfaces, and although the description does not detail successful exploitation proof, it is inferred that the weak access checks could be abused through normal theme‑provided endpoints.

Generated by OpenCVE AI on May 1, 2026 at 18:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Houzez theme to the latest version that is newer than 3.4.0, ensuring the fix for the missing authorization checks is applied.
  • Disable any user‑creation or high‑privilege endpoints exposed by the theme for unauthenticated or low‑privileged users, or restrict them to the administrator role via WordPress role settings.
  • Audit existing user accounts on the site for unexpected administrator roles that may have been added through the vulnerable functionality, and remove or re‑assign them as appropriate.

Generated by OpenCVE AI on May 1, 2026 at 18:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3941 Missing Authorization vulnerability in Houzez.co Houzez. This issue affects Houzez: from n/a through 3.4.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Houzez.co Houzez. This issue affects Houzez: from n/a through 3.4.0. Missing Authorization vulnerability in favethemes Houzez houzez.This issue affects Houzez: from n/a through <= 3.4.0.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Mon, 27 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Jan 2025 14:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Houzez.co Houzez. This issue affects Houzez: from n/a through 3.4.0.
Title WordPress Houzez theme <= 3.4.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:33.913Z

Reserved: 2025-01-23T14:53:08.866Z

Link: CVE-2025-24754

cve-icon Vulnrichment

Updated: 2025-01-27T14:24:12.467Z

cve-icon NVD

Status : Deferred

Published: 2025-01-27T14:15:29.477

Modified: 2026-06-17T08:59:33.203

Link: CVE-2025-24754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:30:05Z

Weaknesses