CVE-2025-49952

MEDIUM
2025-10-22 [email protected]
WordPress PHP Authentication Bypass
6.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 22, 2025 - 15:15 nvd
MEDIUM 6.3

DescriptionNVD

Authorization Bypass Through User-Controlled Key vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through <= 4.2.5.

AnalysisAI

Authorization bypass in Houzez WordPress theme versions up to 4.2.5 allows authenticated users to access or modify resources they should not have permission to reach through insecure direct object reference (IDOR) vulnerabilities. An authenticated attacker with low privileges can exploit inadequately configured access controls to view or modify data belonging to other users, achieving limited information disclosure and integrity compromise. The vulnerability is not confirmed as actively exploited, though the attack vector is network-based with low complexity.

Technical ContextAI

Houzez is a WordPress real estate theme that implements user access controls for property listings and related resources. The vulnerability stems from CWE-639 (Authorization Through User-Controlled Key), a flaw where access decisions depend on user-supplied identifiers without proper server-side validation of ownership or authorization scope. When users interact with objects (properties, bookings, or profiles) via direct references (IDs, slugs, or tokens), the application fails to verify whether the requesting user has legitimate access to that specific resource. This IDOR pattern is common in WordPress plugins and themes that handle multi-user content without implementing capability checks tied to WordPress roles and permissions.

Affected ProductsAI

Favethemes Houzez WordPress theme is affected in all versions from an unspecified baseline through and including version 4.2.5. The vulnerability was reported via Patchstack's vulnerability database, which documents WordPress theme security issues. Site administrators running Houzez on WordPress installations are impacted if they have not upgraded to a patched version released after the advisory date.

RemediationAI

Update Houzez to the latest patched version beyond 4.2.5 via WordPress theme updates. Site administrators should navigate to Appearance > Themes in the WordPress dashboard, check for available updates, and apply the patch immediately. For organizations unable to update immediately, implement WordPress user role restrictions to limit which users can access sensitive real estate listings and customer data, and review WordPress access logs for signs of IDOR exploitation (unusual cross-user resource access patterns). Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/houzez/vulnerability/wordpress-houzez-theme-4-1-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve for the specific patched version number and additional mitigation guidance.

Share

CVE-2025-49952 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy