PHP Remote File Inclusion Vulnerability in Favethemes Houzez
CVE-2025-53198

8.1HIGH

Key Information:

Vendor: WordPress
Status: Houzez
Vendor: CVE Published:; 20 August 2025

What is CVE-2025-53198?

A vulnerability exists in the Favethemes Houzez product due to improper control of filename parameters within the PHP program, allowing for unauthorized local file inclusion. This issue, found in versions up to and including 4.0.4, could enable attackers to execute malicious code by manipulating include or require statements. Users are advised to ensure their installations are updated to protect against this security risk.

Affected Version(s)

Houzez <= 4.0.4

References

https://patchstack.com/database/wordpress/theme/houzez/vu...

vdb-entry

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2025
Vulnerability Reserved
Jun 27, 2025

Credit

Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) (Patchstack Alliance)

WordPress

What is CVE-2025-53198?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit