CVE-2025-49405 is a high-severity vulnerability classified under CWE-98, which involves improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the Favethemes Houzez product, a popular real estate WordPress theme. The flaw allows an attacker to perform a PHP Local File Inclusion (LFI) attack by manipulating the filename parameter that is used in include or require statements without proper validation or sanitization. This can lead to the inclusion and execution of arbitrary local files on the server. The vulnerability is present in versions of Houzez prior to 4.1.4, with no specific affected versions detailed beyond that. The CVSS 3.1 base score is 8.1, indicating a high severity level, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This means the attack can be launched remotely over the network without requiring privileges or user interaction, but it has a high attack complexity. Successful exploitation can lead to full compromise of confidentiality, integrity, and availability of the affected system. Although no known exploits are currently reported in the wild, the vulnerability’s nature makes it a critical concern for web servers running the affected theme. The lack of a patch link suggests that a fix may not yet be publicly available or is pending release. The vulnerability arises from the failure to properly validate or restrict the filename input used in PHP include/require statements, allowing attackers to traverse directories or specify unintended files, potentially exposing sensitive data or enabling remote code execution if combined with other vulnerabilities or misconfigurations.

For European organizations using the Favethemes Houzez WordPress theme, this vulnerability poses a significant risk. Real estate agencies, property listing services, and related businesses relying on this theme may face data breaches exposing sensitive client information, including personal data protected under GDPR. The ability to include arbitrary local files can lead to disclosure of configuration files, database credentials, or other critical assets, facilitating further attacks. Additionally, attackers could execute malicious code, resulting in website defacement, service disruption, or use of compromised servers as pivot points for broader network intrusions. The high confidentiality, integrity, and availability impact means that business operations could be severely disrupted, reputational damage incurred, and regulatory penalties imposed for data protection violations. Given the remote exploitability without authentication or user interaction, the threat surface is broad, increasing the likelihood of automated scanning and exploitation attempts. Organizations with public-facing websites using this theme are particularly vulnerable, especially if they have not updated to the patched version or implemented compensating controls.

European organizations should immediately verify if their websites use the Favethemes Houzez theme and determine the version in use. Upgrading to version 4.1.4 or later, where the vulnerability is addressed, is the primary mitigation step. If immediate patching is not feasible, organizations should implement strict input validation and sanitization on all parameters that influence file inclusion paths, employing whitelisting of allowed filenames and disallowing directory traversal sequences. Web Application Firewalls (WAFs) should be configured to detect and block suspicious requests attempting to exploit LFI patterns, such as those containing '../' sequences or null byte injections. Restricting PHP file permissions and disabling unnecessary PHP functions like include(), require(), or allow_url_include in the server configuration can reduce exploitation risk. Regular security audits and monitoring for anomalous file access or web server logs can help detect exploitation attempts early. Additionally, organizations should ensure backups are current and tested to enable rapid recovery in case of compromise.