VulnTitan VulnTitan Security command center
Theme Vulnerability Hub
Theme 16 known issues Latest disclosed Nov 26, 2025

Houzez Vulnerabilities

Review known vulnerability records for the WordPress theme Houzez (`houzez`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-9191, CVE-2025-9163 and CVE-2025-62053, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
16
High or Critical
6
Patch Coverage
100%
Last Updated
Nov 26, 2025
Priority CVE Quick Links

Fast paths into Houzez CVE reports

Start with the highest-signal CVE records for this WordPress theme before scanning the full vulnerability feed.

Indexed CVEs
15
CVE-2023-29432 Critical 2.8.3
CVE-2023-29432 Houzez SQL Injection

Houzez <= 2.8.2 - Unauthenticated SQL Injection

CVE-2023-26540 Critical 2.7.2
CVE-2023-26540 Houzez Privilege Escalation

Houzez <= 2.7.1 - Privilege Escalation

CVE-2024-22303 High 3.3.0
CVE-2024-22303 Houzez Privilege Escalation

Houzez <= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation

CVE-2025-62053 High 4.2.0
CVE-2025-62053 Houzez Local File Inclusion

Houzez < 4.2.0 - Unauthenticated Local File Inclusion

CVE-2025-49405 High 4.1.4
CVE-2025-49405 Houzez Local File Inclusion

Houzez <= 4.1.1 - Unauthenticated Local File Inclusion

CVE-2025-53198 High 4.0.8
CVE-2025-53198 Houzez Local File Inclusion

Houzez <= 4.0.4 - Unauthenticated Local File Inclusion

CVE-2025-9191 Medium 4.1.7
CVE-2025-9191 Houzez Vulnerability

Houzez <= 4.1.6 - Authenticated (Subscriber+) PHP Object Injection via Saved Search

CVE-2025-9163 Medium 4.1.7
CVE-2025-9163 Houzez File Upload

Houzez <= 4.1.6 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Houzez so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
16 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
2 critical and 4 high severity findings.
Recent CVEs
CVE-2025-9191, CVE-2025-9163 and CVE-2025-62053
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Houzez

Sorted by latest disclosure date so newly published issues surface first.

Theme Medium Patched: Yes CVE-2025-9191
CVE-2025-9191: Houzez <= 4.1.6 - Authenticated (Subscriber+) PHP Object Injection via Saved Search

The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject...

Published
Nov 26, 2025
Patched Release
4.1.7
Affected Versions
Versions up to 4.1.6
Next Step
Update to 4.1.7 or newer if supported.
Open CVE-2025-9191 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2025-9163
CVE-2025-9163: Houzez <= 4.1.6 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzez_property_img_upload() and houzez_property_attachment_upload() func...

Published
Nov 26, 2025
Patched Release
4.1.7
Affected Versions
Versions up to 4.1.6
Next Step
Update to 4.1.7 or newer if supported.
Open CVE-2025-9163 Report Open CVE Reference
Theme High Patched: Yes CVE-2025-62053
CVE-2025-62053: Houzez < 4.2.0 - Unauthenticated Local File Inclusion

The Houzez theme for WordPress is vulnerable to Local File Inclusion in versions up to 4.2.0. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypa...

Published
Oct 16, 2025
Patched Release
4.2.0
Affected Versions
Versions before 4.2.0
Next Step
Update to 4.2.0 or newer if supported.
Open CVE-2025-62053 Report Open CVE Reference
Theme High Patched: Yes CVE-2025-49405
CVE-2025-49405: Houzez <= 4.1.1 - Unauthenticated Local File Inclusion

The Houzez theme for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.1. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can...

Published
Aug 27, 2025
Patched Release
4.1.4
Affected Versions
Versions up to 4.1.1
Next Step
Update to 4.1.4 or newer if supported.
Open CVE-2025-49405 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2025-49407
CVE-2025-49407: Houzez <= 4.1.1 - Reflected Cross-Site Scripting

The Houzez theme for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 4.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha...

Published
Aug 27, 2025
Patched Release
4.1.4
Affected Versions
Versions up to 4.1.1
Next Step
Update to 4.1.4 or newer if supported.
Open CVE-2025-49407 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2025-49406
CVE-2025-49406: Houzez <= 4.1.1 - Missing Authorization

The Houzez theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.1.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published
Aug 20, 2025
Patched Release
4.1.4
Affected Versions
Versions up to 4.1.1
Next Step
Update to 4.1.4 or newer if supported.
Open CVE-2025-49406 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2025-53997
CVE-2025-53997: Houzez <= 4.0.4 - Missing Authorization

The Houzez theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized...

Published
Jul 16, 2025
Patched Release
4.1.1
Affected Versions
Versions up to 4.0.4
Next Step
Update to 4.1.1 or newer if supported.
Open CVE-2025-53997 Report Open CVE Reference
Theme Medium Patched: No CVE-2025-49952
CVE-2025-49952: Houzez <= 4.1.1 - Authenticated (Subscriber+) Insecure Direct Object Reference

The Houzez theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.1 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform...

Published
Jul 11, 2025
Patched Release
Not published
Affected Versions
Versions up to 4.1.1
Next Step
Open the full report for remediation notes and references.
Open CVE-2025-49952 Report Open CVE Reference
Theme High Patched: Yes CVE-2025-53198
CVE-2025-53198: Houzez <= 4.0.4 - Unauthenticated Local File Inclusion

The Houzez theme for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.0.4. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can...

Published
Jul 01, 2025
Patched Release
4.0.8
Affected Versions
Versions up to 4.0.4
Next Step
Update to 4.0.8 or newer if supported.
Open CVE-2025-53198 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2025-24754
CVE-2025-24754: Houzez <= 3.4.0 - Missing Authorization

The Houzez theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.4.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized...

Published
Jan 24, 2025
Patched Release
3.4.2
Affected Versions
Versions up to 3.4.0
Next Step
Update to 3.4.2 or newer if supported.
Open CVE-2025-24754 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2025-24747
CVE-2025-24747: Houzez <= 3.4.1 - Missing Authorization

The Houzez theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized...

Published
Jan 21, 2025
Patched Release
3.4.2
Affected Versions
Versions up to 3.4.1
Next Step
Update to 3.4.2 or newer if supported.
Open CVE-2025-24747 Report Open CVE Reference
Theme High Patched: Yes CVE-2024-22303
CVE-2024-22303: Houzez <= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation

The Houzez theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the houzez_ajax_password_reset function not properly verifying a user's identity prior to reseting a password. This makes it possible for authenticated...

Published
Sep 17, 2024
Patched Release
3.3.0
Affected Versions
Versions up to 3.2.4
Next Step
Update to 3.3.0 or newer if supported.
Open CVE-2024-22303 Report Open CVE Reference