Description
Authorization Bypass Through User-Controlled Key vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through <= 4.2.5.
Published: 2025-10-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Houzez theme contains an IDOR flaw that lets an attacker manipulate a user‑controlled key to access data not meant for them. The vulnerability falls under CWE‑639 and can expose personal or product information belonging to other site users. The flaw is not a remote code execution or privilege escalation beyond data exposure; it simply bypasses intended access controls.

Affected Systems

Favethemes Houzez theme versions starting from the first release up through 4.2.5 are affected. No specific earlier release is listed, but all versions up to and including 4.2.5 may contain the flaw.

Risk and Exploitability

The CVSS score of 6.5 signifies a moderate severity impact. The EPSS score of less than 1% indicates a low probability of exploitation at present, and the vulnerability is not listed in CISA KEV. Attackers are expected to exploit the weakness by feeding a crafted key or URL parameter to bypass authorization checks. While the description does not specify a network requirement, such IDOR attacks can typically be carried out over the web by anyone who can guess or intercept the vulnerable URL.

Generated by OpenCVE AI on April 30, 2026 at 05:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Houzez theme to the latest version (4.3.0 or newer).
  • Configure role‑based access controls to ensure only authorized users can request sensitive data.
  • Deploy a security plugin or custom code that validates user permissions before serving content to prevent IDOR exploitation.

Generated by OpenCVE AI on April 30, 2026 at 05:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through <= 4.1.1. Authorization Bypass Through User-Controlled Key vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through <= 4.2.5.
Title WordPress Houzez Theme <= 4.1.1 - Insecure Direct Object References (IDOR) Vulnerability WordPress Houzez theme <= 4.2.5 - Insecure Direct Object References (IDOR) vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Favethemes
Favethemes houzez
Wordpress
Wordpress wordpress
Vendors & Products Favethemes
Favethemes houzez
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through <= 4.1.1.
Title WordPress Houzez Theme <= 4.1.1 - Insecure Direct Object References (IDOR) Vulnerability
Weaknesses CWE-639
References

Subscriptions

Favethemes Houzez
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:08.925Z

Reserved: 2025-06-11T16:07:27.326Z

Link: CVE-2025-49952

cve-icon Vulnrichment

Updated: 2025-10-23T14:29:24.857Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:41.620

Modified: 2026-04-27T20:16:19.140

Link: CVE-2025-49952

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:45:16Z

Weaknesses