What the vulnerability does
01Description
Authorization Bypass Through User-Controlled Key vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through <= 4.2.5.
Explanation of Vulnerability in Simple Terms
02Summary
Houzez versions 4.2.5 and earlier contain an authorization flaw that allows authenticated users to cause a denial of service by disrupting site availability. An attacker with low-level account access can trigger the vulnerability without user interaction. The issue affects the availability of the site but does not expose or modify data.
What an attacker can do
03Attacker Capabilities
An authenticated attacker can disrupt site availability and cause a denial of service.
Potential impact on your site
04Site Impact
Site availability can be disrupted by users with basic account access; data confidentiality and integrity are not at risk.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the site; no user interaction required.
Key dates
06Disclosure timeline
October 22, 2025
CVE published
April 28, 2026
Record updated