Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez allows Reflected XSS. This issue affects Houzez: from n/a through 4.1.1.
Published: 2025-08-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Houzez WordPress theme, versions up to 4.1.1, contains an improper neutralization of input during web page generation vulnerability (CWE‑79). A crafted input that is reflected by the theme can cause arbitrary JavaScript to execute in the context of the victim’s browser, allowing an attacker to steal credentials, deface a site, or redirect the user.

Affected Systems

The vulnerability affects the Favethemes Houzez theme, any installation using version 4.1.1 or earlier. No specific WordPress core versions are mentioned, so the issue applies broadly to all affected themes regardless of the underlying WordPress installation.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, but the EPSS score of less than 1 % suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is reflected, the likely attack vector is a malicious link or input that a user follows or submits; it can be exploited remotely by anyone who can control the input that the theme renders.

Generated by OpenCVE AI on April 30, 2026 at 07:42 UTC.

Remediation

Vendor Solution

Update the WordPress Houzez theme to the latest available version (at least 4.1.4).

OpenCVE Recommended Actions

  • Update the Houzez theme to version 4.1.4 or later, as the vendor has provided a fix for the reflected XSS issue.
  • If an immediate update is not possible, implement a web application firewall or content security policy that restricts script execution from untrusted sources to reduce the impact of reflected XSS attacks.
  • Monitor site activity for anomalous script execution attempts and consider disabling or hardening any input fields that may be reflected by the theme until a patch is applied.

Generated by OpenCVE AI on April 30, 2026 at 07:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26007 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez allows Reflected XSS. This issue affects Houzez: from n/a through 4.1.1.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-266
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in favethemes Premium SEO Pack premium-seo-pack allows Privilege Escalation.This issue affects Premium SEO Pack: from n/a through <= 3.3.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez allows Reflected XSS. This issue affects Houzez: from n/a through 4.1.1.
Title WordPress Premium SEO Pack Plugin <= 3.3.2 - Privilege Escalation Vulnerability WordPress Houzez Theme <= 4.1.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez allows Reflected XSS. This issue affects Houzez: from n/a through 4.1.1. Incorrect Privilege Assignment vulnerability in favethemes Premium SEO Pack premium-seo-pack allows Privilege Escalation.This issue affects Premium SEO Pack: from n/a through <= 3.3.2.
Title WordPress Houzez Theme <= 4.1.1 - Cross Site Scripting (XSS) Vulnerability WordPress Premium SEO Pack Plugin <= 3.3.2 - Privilege Escalation Vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Favethemes
Favethemes houzez
Wordpress
Wordpress wordpress
Vendors & Products Favethemes
Favethemes houzez
Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez allows Reflected XSS. This issue affects Houzez: from n/a through 4.1.1.
Title WordPress Houzez Theme <= 4.1.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Favethemes Houzez
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:03.578Z

Reserved: 2025-06-04T15:44:12.381Z

Link: CVE-2025-49407

cve-icon Vulnrichment

Updated: 2025-08-28T19:03:39.640Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:16:00.273

Modified: 2026-04-28T19:33:05.360

Link: CVE-2025-49407

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:45:26Z

Weaknesses