CVE-2025-62053
Published: 06 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-62053 is an Improper Control of Filename for Include/Require Statement in PHP Program, classified as a PHP Remote File Inclusion vulnerability (CWE-98), affecting the Houzez WordPress theme developed by favethemes. This issue impacts Houzez versions from n/a through those prior to 4.2.0.
Unauthenticated remote attackers can exploit the vulnerability over the network without requiring user interaction, though exploitation demands high attack complexity (AV:N/AC:H/PR:N/UI:N/S:U). Successful attacks enable high-impact consequences on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.1, potentially allowing arbitrary file inclusion and related compromises.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/houzez/vulnerability/wordpress-houzez-theme-4-2-0-local-file-inclusion-vulnerability?_s_id=cve documents the vulnerability and indicates mitigation through updating to Houzez version 4.2.0 or later, where the issue is addressed.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote file inclusion flaw in a public-facing WordPress theme, directly exploited unauthenticated over the network, mapping to exploitation of public-facing applications.