Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in favethemes Houzez houzez.This issue affects Houzez: from n/a through < 4.2.0.
Published: 2025-11-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Houzez WordPress theme contains an Improper Control of Filename for Include/Require Statement flaw (CWE‑98). This flaw allows an attacker to specify arbitrary local file paths to the PHP include logic, potentially exposing sensitive server files. The CVE designation identifies this as a local file inclusion vulnerability, which may enable attackers to read files that should otherwise be inaccessible through the web interface.

Affected Systems

Any installation of the Houzez theme for WordPress with a version earlier than 4.2.0 is affected; the issue is present from the earliest available release through all releases before the 4.2.0 update.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests a low but non‑zero exploitation probability. The vulnerability is currently not included in CISA’s KEV catalog. As the issue is a local file inclusion flaw, the attack likely requires an unauthenticated attacker to supply crafted input—such as manipulating query parameters or form fields that are passed to the theme’s include logic—to reference local files.

Generated by OpenCVE AI on April 30, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Houzez theme to version 4.2.0 or later to apply the vendor‑issued fix.
  • If an upgrade cannot be performed immediately, temporarily disable the Houzez theme and activate a different, known‑secure theme to eliminate the vulnerable code path.
  • Implement a web application firewall rule or modify PHP configuration to restrict directory traversal and inclusion of arbitrary local files, such as enabling open_basedir restrictions or blocking suspicious query strings containing '..' or slashes before they reach the theme logic.

Generated by OpenCVE AI on April 30, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 06 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Favethemes
Favethemes houzez
Wordpress
Wordpress wordpress
Vendors & Products Favethemes
Favethemes houzez
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in favethemes Houzez houzez.This issue affects Houzez: from n/a through < 4.2.0.
Title WordPress Houzez theme < 4.2.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Favethemes Houzez
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:59.715Z

Reserved: 2025-10-07T15:34:31.733Z

Link: CVE-2025-62053

cve-icon Vulnrichment

Updated: 2025-11-06T21:16:15.884Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:16:11.733

Modified: 2026-04-27T18:16:24.673

Link: CVE-2025-62053

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:45:24Z

Weaknesses