CVE-2025-9191 is a deserialization vulnerability (CWE-502) affecting the Houzez WordPress theme developed by favethemes, present in all versions up to and including 4.1.6. The vulnerability arises from unsafe deserialization of untrusted data in the saved-search-item.php file, which enables PHP Object Injection by authenticated users with Subscriber-level privileges or higher. This flaw allows attackers to inject crafted PHP objects during the deserialization process. However, the vulnerability alone does not lead to direct exploitation because no gadget POP (Property Oriented Programming) chain exists within the Houzez theme itself. A POP chain is necessary to leverage the injected object to perform malicious actions such as arbitrary file deletion, sensitive data disclosure, or remote code execution. If the target WordPress installation includes other plugins or themes that contain suitable POP chains, an attacker can combine these with the Houzez vulnerability to escalate the attack. The vulnerability has a CVSS 3.1 base score of 6.3, indicating medium severity, with an attack vector over the network, low attack complexity, requiring privileges (authenticated Subscriber or higher), no user interaction, and impacts confidentiality, integrity, and availability to a limited extent. No known exploits are currently in the wild. The vulnerability was publicly disclosed on November 26, 2025, and no official patches have been linked yet. This issue highlights the risks of complex WordPress environments where multiple third-party components interact, increasing the attack surface through chained vulnerabilities.

The primary impact of CVE-2025-9191 is the potential for authenticated attackers with low-level access (Subscriber or above) to escalate privileges or execute arbitrary code if a suitable POP chain exists in other installed plugins or themes. This can lead to unauthorized deletion of files, exposure of sensitive data such as database credentials or user information, and full site compromise including remote code execution. The vulnerability undermines the confidentiality, integrity, and availability of affected WordPress sites. Organizations running the Houzez theme alongside other vulnerable components face increased risk, especially if they allow low-privileged users to register or have multiple plugins/themes installed without strict vetting. Exploitation could result in website defacement, data breaches, service disruption, and potential lateral movement within hosting environments. Although no exploits are known yet, the medium CVSS score and ease of exploitation by authenticated users make this a significant threat for WordPress sites using Houzez in complex plugin ecosystems.

1. Immediately audit all WordPress installations using the Houzez theme to identify versions up to 4.1.6 and plan for updates or removal. 2. Restrict user registration and limit Subscriber-level privileges to trusted users only, reducing the attacker base. 3. Review and minimize installed plugins and themes, removing any that are unnecessary or known to contain POP chains that could be chained with this vulnerability. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious serialized payloads targeting saved-search-item.php. 5. Monitor logs for unusual deserialization attempts or PHP object injection indicators. 6. Implement strict input validation and sanitization in custom code and encourage vendors to patch the vulnerability promptly. 7. Consider isolating WordPress instances or using containerization to limit lateral movement if compromise occurs. 8. Stay updated with vendor advisories and apply patches as soon as they become available. 9. Conduct penetration testing focusing on deserialization vulnerabilities and chained exploits in the WordPress environment. 10. Educate administrators about the risks of installing unvetted plugins and themes that may introduce POP chains.