Houzez WordPress Theme PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Houzez theme for WordPress, affecting all versions through 4.1.6. The vulnerability arises from the deserialization of untrusted input in the 'saved-search-item.php' file. This issue allows authenticated attackers with Subscriber-level access and above to inject a PHP object. However, there is no impact unless another plugin or theme with a suitable Payload Execution Chain (POP chain) is present on the site. If such a chain exists, it could potentially enable the attacker to delete arbitrary files, access sensitive data, or execute code, depending on the nature of the POP chain.

Impact

Exploitation of this vulnerability could lead to unauthorized PHP Object Injection, allowing for potential execution of malicious actions if a suitable POP chain is available.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can save a search that includes untrusted input. This input will be deserialized by the theme, allowing for the injection of a PHP object.

Remediation

Users are advised to update to Houzez version 4.1.7 or later, where this vulnerability has been patched.