CVE-2025-49952 MEDIUM

CVE-2025-49952: WordPress Houzez theme <= 4.2.5 - Insecure Direct Object References (IDOR) vulnerability

Vendor Favethemes
Product Houzez
Weakness CWE-639 · IDOR
Published October 22, 2025
Last update April 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Authorization Bypass Through User-Controlled Key vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through <= 4.2.5.

Explanation of Vulnerability in Simple Terms

02Summary

Houzez versions 4.2.5 and earlier contain an authorization flaw that allows authenticated users to cause a denial of service by disrupting site availability. An attacker with low-level account access can trigger the vulnerability without user interaction. The issue affects the availability of the site but does not expose or modify data.

What an attacker can do

03Attacker Capabilities

An authenticated attacker can disrupt site availability and cause a denial of service.

Potential impact on your site

04Site Impact

Site availability can be disrupted by users with basic account access; data confidentiality and integrity are not at risk.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the site; no user interaction required.

Key dates

06Disclosure timeline

October 22, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE