CVE-2025-53997

2025-07-16 [email protected]
WordPress PHP Authentication Bypass

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Missing Authorization vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through <= 4.0.4.

AnalysisAI

Missing authorization controls in favethemes Houzez WordPress theme through version 4.0.4 allow unauthenticated attackers to bypass access control restrictions and access resources they should not be permitted to view. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before granting access to sensitive functionality. With an EPSS score of 0.05% (17th percentile), real-world exploitation risk is low despite the vulnerability's presence in a popular real estate theme.

Technical ContextAI

This vulnerability is classified as CWE-862 (Missing Authorization), a common weakness in web applications where authorization checks are either missing entirely or improperly implemented. The Houzez theme, a real estate listing WordPress theme by favethemes, fails to enforce proper access control at application entry points, meaning the authorization mechanism either does not verify user roles/capabilities before processing requests or applies insufficient security levels to protected endpoints. WordPress plugins and themes that implement custom functionality often bypass core permission checking when building admin AJAX handlers, REST API endpoints, or custom post type management features, creating windows for privilege escalation or information disclosure.

Affected ProductsAI

favethemes Houzez WordPress theme versions from initial release through 4.0.4 are affected by this authorization bypass vulnerability. The theme, available on WordPress.org and commercial channels, is used for real estate property listing and management functionality. Administrators running Houzez 4.0.4 or earlier versions should prioritize updates.

RemediationAI

Upgrade favethemes Houzez theme to a patched version released after 4.0.4. Administrators should navigate to Appearance > Themes in WordPress dashboard, locate Houzez, and initiate the update process once available from the vendor. In the interim, review and restrict user role capabilities within WordPress to limit access to sensitive functions, use security plugins to audit unauthorized access attempts on protected endpoints, and consider disabling the Houzez theme if a patched version is unavailable and the real estate functionality is non-critical. Refer to the vendor advisory at https://patchstack.com/database/Wordpress/Theme/houzez/vulnerability/wordpress-houzez-theme-4-0-4-broken-access-control-vulnerability for official remediation guidance and patch availability.

Share

CVE-2025-53997 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy