CVE-2025-9191
📋 TL;DR
The Houzez WordPress theme is vulnerable to PHP object injection through deserialization of untrusted input in saved-search-item.php. This allows authenticated attackers with Subscriber-level access or higher to inject PHP objects, but exploitation requires a separate plugin or theme containing a POP chain to be present on the system. Without a POP chain, the vulnerability has no direct impact.
💻 Affected Systems
- Houzez WordPress Theme
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
If combined with a POP chain from another plugin/theme, attackers could achieve remote code execution, delete arbitrary files, or retrieve sensitive data.
Likely Case
No impact unless another vulnerable plugin/theme with POP chain is installed; most sites will see no exploitation.
If Mitigated
With proper access controls and no vulnerable plugins/themes, risk is minimal to none.
🎯 Exploit Status
Exploitation requires: 1) authenticated access, 2) presence of POP chain in another plugin/theme, 3) specific object injection knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.1.7 or later
Vendor Advisory: https://favethemes.zendesk.com/hc/en-us/articles/360041639432-Changelog
Restart Required: No
Instructions:
1. Update Houzez theme to version 4.1.7 or later via WordPress admin panel. 2. No server restart required. 3. Clear any caching plugins after update.
🔧 Temporary Workarounds
Remove vulnerable theme
allTemporarily switch to default WordPress theme until patch can be applied
Restrict user registration
allDisable new user registration to prevent attackers from obtaining Subscriber accounts
🧯 If You Can't Patch
- Remove or disable the Houzez theme immediately
- Audit and remove any plugins/themes that might contain POP chains
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Appearance > Themes for Houzez theme version 4.1.6 or earlierCheck Version:
wp theme list --field=name,version --format=csv | grep houzezVerify Fix Applied:
Verify Houzez theme version is 4.1.7 or later in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to saved-search-item.php
- Multiple failed authentication attempts followed by successful Subscriber login
Network Indicators:
- HTTP requests with serialized PHP objects in parameters
SIEM Query:
source="wordpress.log" AND (uri="*saved-search-item.php*" AND (method="POST" OR params CONTAINS "O:"))