A high-severity vulnerability has been identified in multiple favethemes Houzez products, tracked as CVE-2025-53198. This flaw allows an attacker to trick the application into including and executing unintended files from the local server, a technique known as Local File Inclusion (LFI). Successful exploitation could lead to the disclosure of sensitive information, such as configuration files and user credentials, and may result in a complete compromise of the affected server.

The vulnerability is an Improper Control of a Filename for an Include/Require Statement, leading to Local File Inclusion (LFI). The application fails to properly sanitize user-supplied input that is used to construct a file path for a PHP include or require statement. An unauthenticated remote attacker can exploit this by crafting a malicious request containing directory traversal sequences (e.g., ../../) to navigate the server's file system and include arbitrary files. For example, an attacker could read sensitive files like /etc/passwd, web server configurations, or application source code containing database credentials. If the attacker can control the contents of a file on the server (such as a log file or an uploaded file), this LFI vulnerability could be escalated to achieve Remote Code Execution (RCE).

This vulnerability presents a significant risk to the organization, reflected by its High severity rating with a CVSS score of 8.1. Exploitation can directly impact the confidentiality, integrity, and availability of the affected application and server. Potential consequences include the theft of sensitive corporate or customer data, leading to a data breach, reputational damage, and potential regulatory fines. If escalated to Remote Code Execution, an attacker could gain full control of the server, install malware, pivot to other internal network systems, or use the compromised server in further attacks.

Immediate Action: The primary and most effective remediation is to apply the security updates provided by the vendor immediately across all affected systems. After patching, organizations should actively monitor for any signs of exploitation attempts by reviewing web server access logs and application logs for suspicious patterns indicative of LFI attacks.

Proactive Monitoring: Security teams should configure monitoring and alerting for LFI attempts. In web server access logs, search for requests containing directory traversal patterns (../, ..%2f), null bytes (%00), and attempts to access common sensitive files (e.g., wp-config.php, /etc/passwd, .env). Monitor for unusual outbound network connections from the web server, which could indicate a successful compromise and data exfiltration. Employ a File Integrity Monitoring (FIM) solution to detect unauthorized changes to critical application and system files.

Compensating Controls: If immediate patching is not feasible, the following compensating controls can help reduce risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attack patterns.
• Harden PHP configurations by setting a restrictive open_basedir directive to limit the files that PHP can access.
• Enforce the principle of least privilege by ensuring the web server process runs with minimal permissions and cannot read sensitive files outside of the web root directory.

Public Exploit Available: false

Given the high CVSS score of 8.1, this vulnerability requires immediate attention. Organizations must prioritize the deployment of vendor-supplied patches to all systems running the affected favethemes Houzez products. While this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity and the high likelihood of future exploitation necessitate urgent action. We strongly recommend applying the security updates and implementing the proactive monitoring measures outlined in this report to prevent a potential compromise.