CVE-2025-9191 is a deserialization vulnerability classified under CWE-502 affecting the Houzez WordPress theme up to version 4.1.6. The flaw arises from unsafe deserialization of untrusted input in the saved-search-item.php file, enabling PHP Object Injection. This allows authenticated users with at least Subscriber privileges to inject crafted PHP objects into the application. However, the vulnerability alone does not lead to direct exploitation because Houzez does not contain a gadget POP (Property Oriented Programming) chain necessary to trigger malicious behavior. The risk materializes only if another installed plugin or theme contains a POP chain, which can be leveraged to perform destructive actions such as arbitrary file deletion, sensitive data disclosure, or remote code execution. The vulnerability is remotely exploitable over the network without user interaction and requires low privileges, making it a moderate threat. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) reflects network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and low to moderate impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the presence of multiple plugins or themes with POP chains increases the attack surface. The vulnerability was reserved in August 2025 and published in November 2025, with no official patches available at the time of reporting.

For European organizations, the impact depends heavily on the WordPress environment composition. Organizations using the Houzez theme in the real estate sector or related industries are at risk, especially if they have multiple plugins or themes installed that contain POP chains. Successful exploitation could lead to unauthorized deletion of files, leakage of sensitive client or business data, or full remote code execution, potentially compromising entire websites or backend systems. This could result in reputational damage, regulatory penalties under GDPR due to data breaches, and operational disruption. Since the vulnerability requires authenticated access, organizations with weak user management or many low-privilege users are more vulnerable. The medium CVSS score indicates a moderate risk, but the chained exploitation possibility elevates the threat in complex environments. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploit chains over time.

1. Immediately audit all WordPress installations using the Houzez theme and identify versions up to 4.1.6. 2. Remove or update the Houzez theme to a patched version once available. 3. Conduct a thorough review of all installed plugins and themes to identify any that contain POP chains or unsafe deserialization patterns. 4. Restrict user privileges rigorously, ensuring that Subscriber-level users have minimal access and that authentication mechanisms are robust. 5. Implement web application firewalls (WAFs) with rules to detect and block suspicious deserialization payloads or PHP Object Injection attempts. 6. Monitor logs for unusual activity related to saved-search-item.php or deserialization functions. 7. Consider isolating or sandboxing WordPress environments to limit the impact of potential exploitation. 8. Educate administrators and developers about the risks of unsafe deserialization and encourage secure coding practices. 9. Regularly back up website data and configurations to enable recovery in case of compromise. 10. Stay informed on vendor updates and apply patches promptly once released.