What the vulnerability does
01Description
The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Explanation of Vulnerability in Simple Terms
02Summary
Houzez versions up to 4.1.6 contain a deserialization vulnerability that allows authenticated users to execute arbitrary code by submitting malicious serialized data. An attacker with low-level site access can exploit this to read sensitive data, modify site content, or disrupt availability. Update to a version newer than 4.1.6 to remediate.
What an attacker can do
03Attacker Capabilities
Read sensitive data, modify site content, or disrupt site availability by submitting malicious serialized objects.
Potential impact on your site
04Site Impact
Any authenticated user, including low-privilege accounts, can compromise site data and functionality without additional interaction.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege authenticated account on the site; no user interaction required.
Key dates
06Disclosure timeline
November 26, 2025
CVE published
April 8, 2026
Record updated
