Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Favethemes Houzez allows PHP Local File Inclusion.This issue affects Houzez: from n/a before 4.1.4.
Published: 2025-08-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper validation of filenames used in PHP include/require statements enables attackers to specify arbitrary paths and read files on the local filesystem, resulting in potential disclosure of sensitive configuration data, credentials, or other confidential information. The vulnerability is classified as CWE‑98, indicating a local file inclusion flaw.

Affected Systems

The flaw affects the Favethemes Houzez WordPress theme in all releases prior to version 4.1.4; versions 4.1.4 and later contain a fix.

Risk and Exploitability

The base CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1 % implies a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, and no public exploits have been reported. The likely attack vector is local file inclusion; exploitation is feasible where an attacker can influence file paths, such as through theme configuration options or user‑controlled parameters.

Generated by OpenCVE AI on April 30, 2026 at 07:43 UTC.

Remediation

Vendor Solution

Update the WordPress Houzez theme to the latest available version (at least 4.1.4).

OpenCVE Recommended Actions

  • Upgrade the Houzez theme to version 4.1.4 or later to apply the vendor’s fix.
  • Review and tighten any custom code that performs file inclusion based on user or configuration input, ensuring strict path validation or whitelisting.
  • Set restrictive file‑system permissions on WordPress directories to limit read/write access to only required accounts, reducing the impact of any local file inclusion.

Generated by OpenCVE AI on April 30, 2026 at 07:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26008 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Favethemes Houzez allows PHP Local File Inclusion.This issue affects Houzez: from n/a before 4.1.4.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-35
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Path Traversal: '.../...//' vulnerability in Favethemes Pro Bulk Watermark Plugin for WordPress pro-watermark allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through <= 2.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Favethemes Houzez allows PHP Local File Inclusion.This issue affects Houzez: from n/a before 4.1.4.
Title WordPress Pro Bulk Watermark Plugin for WordPress Theme <= 2.0 - Path Traversal Vulnerability WordPress Houzez Theme < 4.1.4 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-98
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Favethemes Houzez allows PHP Local File Inclusion.This issue affects Houzez: from n/a before 4.1.4. Path Traversal: '.../...//' vulnerability in Favethemes Pro Bulk Watermark Plugin for WordPress pro-watermark allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through <= 2.0.
Title WordPress Houzez Theme < 4.1.4 - Local File Inclusion Vulnerability WordPress Pro Bulk Watermark Plugin for WordPress Theme <= 2.0 - Path Traversal Vulnerability
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Sat, 30 Aug 2025 02:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in favethemes Houzez allows PHP Local File Inclusion. This issue affects Houzez: from n/a through 4.1.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Favethemes Houzez allows PHP Local File Inclusion.This issue affects Houzez: from n/a before 4.1.4.
Title WordPress Houzez Theme <= 4.1.1 - Local File Inclusion Vulnerability WordPress Houzez Theme < 4.1.4 - Local File Inclusion Vulnerability

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Favethemes
Favethemes houzez
Wordpress
Wordpress wordpress
Vendors & Products Favethemes
Favethemes houzez
Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in favethemes Houzez allows PHP Local File Inclusion. This issue affects Houzez: from n/a through 4.1.1.
Title WordPress Houzez Theme <= 4.1.1 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Favethemes Houzez
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:03.898Z

Reserved: 2025-06-04T15:44:03.663Z

Link: CVE-2025-49405

cve-icon Vulnrichment

Updated: 2025-08-28T19:05:20.643Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:16:00.063

Modified: 2026-04-28T19:33:05.120

Link: CVE-2025-49405

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:45:26Z

Weaknesses