A high-severity vulnerability has been identified in multiple favethemes Houzez products, allowing for remote code execution. An unauthenticated attacker can exploit this flaw by tricking the application into including and executing a malicious file from an external server, potentially leading to a complete compromise of the affected website and underlying server.

The vulnerability is a Remote File Inclusion (RFI) flaw within the houzez-theme-functionality component. The application uses a PHP include or require statement that improperly validates user-supplied input for the filename. An attacker can craft a request that provides a URL to a malicious PHP script hosted on an external server. The vulnerable application will then fetch and execute this remote script with the permissions of the web server, resulting in Remote Code Execution (RCE).

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a complete compromise of the web server's confidentiality, integrity, and availability. Potential consequences include theft of sensitive data (such as customer information or payment details), website defacement, installation of malware like ransomware or crypto-miners, and using the compromised server to launch further attacks against the internal network. Such an incident could result in significant financial loss, regulatory fines, and severe reputational damage.

Immediate Action: Apply the security updates provided by the vendor immediately across all affected Houzez theme installations. After patching, review web server and application access logs for any signs of compromise or exploitation attempts that may have occurred prior to the update.

Proactive Monitoring:

• Monitor web server access logs for unusual GET or POST requests, specifically looking for URLs or external IP addresses being passed as parameters to PHP scripts.
• Monitor outbound network traffic from the web server. Block and alert on unexpected outbound connections to external hosts, as this can indicate the server is attempting to fetch a malicious remote file.
• Implement file integrity monitoring to detect the creation of unexpected files or modifications to existing theme files on the web server.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to block RFI attack patterns (e.g., blocking requests containing "http://", "https://", or "ftp://" in URL parameters).
• Harden the server's PHP configuration by setting allow_url_fopen = Off and allow_url_include = Off in the php.ini file. This is a highly effective control that prevents PHP from including files from remote locations.
• Implement strict egress filtering at the network firewall to limit the web server's ability to initiate outbound connections to the internet.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the critical impact of remote code execution, organizations must treat this vulnerability with urgency. The primary recommendation is to apply the vendor-supplied patches to all affected systems without delay. Although this CVE is not currently on the CISA KEV list, its potential for full system compromise makes it an attractive target for threat actors. If patching is delayed, the compensating controls listed above, particularly disabling remote includes in the PHP configuration, should be implemented immediately to mitigate the risk.