CVE-2025-9191

Name of the Vulnerable Software and Affected Versions Houzez versions prior to 4.1.7

Description The Houzez theme for WordPress is susceptible to PHP Object Injection due to deserialization of untrusted input within the saved-search-item.php file. This allows authenticated attackers with Subscriber-level access or higher to inject a PHP Object. Currently, no known PHP Object Injection (POP) chain exists within the vulnerable software itself. However, if another plugin or theme containing a POP chain is installed on the same site, an attacker may be able to perform actions such as deleting arbitrary files, retrieving sensitive data, or executing code, depending on the specific POP chain present.

Recommendations Update Houzez to version 4.1.7 or later.