Favethemes — Vulnerabilities & Security Advisories 29

Browse all 29 CVE security advisories affecting Favethemes. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Favethemes operates as a commercial provider of WordPress themes and plugins, primarily targeting e-commerce and general website development through its extensive marketplace. Security audits reveal a persistent pattern of critical vulnerabilities within its codebase, with twenty-nine Common Vulnerabilities and Exposures (CVEs) currently documented. The most prevalent flaw classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL Injection, often stemming from insufficient input validation and improper sanitization of user-supplied data. Additionally, the company has faced issues related to broken access control, allowing unauthorized privilege escalation for lower-level user roles. These defects frequently enable attackers to execute arbitrary commands or steal sensitive session cookies. While Favethemes generally responds to reported issues, the high volume of historical CVEs indicates systemic weaknesses in their development lifecycle, posing significant risks to sites relying on their unpatched or outdated components.

Top products by Favethemes: Houzez Houzez Theme - Functionality Homey Houzez - Real Estate WordPress Theme Houzez Login Register Homey Core Homey Login Register

CVEs 29

CVE ID	Title	CVSS	Severity	Published
CVE-2026-24355	WordPress Houzez Theme - Functionality plugin <= 4.2.6 - Cross Site Scripting (XSS) vulnerability — Houzez Theme - FunctionalityCWE-79	6.5	Medium	2026-01-22
CVE-2025-67964	WordPress Homey Core plugin <= 2.4.3 - Cross Site Scripting (XSS) vulnerability — Homey CoreCWE-79	7.1	High	2026-01-22
CVE-2025-67965	WordPress Homey Core plugin <= 2.4.3 - Broken Access Control vulnerability — Homey CoreCWE-862	5.3	Medium	2025-12-16
CVE-2025-9163	Houzez <= 4.1.6 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload — HouzezCWE-79	6.1	Medium	2025-11-26
CVE-2025-9191	Houzez <= 4.1.6 - Authenticated (Subscriber+) PHP Object Injection via Saved Search — HouzezCWE-502	6.3	Medium	2025-11-26
CVE-2025-62057	WordPress Houzez Theme - Functionality plugin < 4.2.0 - Cross Site Scripting (XSS) vulnerability — Houzez Theme - FunctionalityCWE-79	7.1	High	2025-11-06
CVE-2025-62053	WordPress Houzez theme < 4.2.0 - Local File Inclusion vulnerability — HouzezCWE-98	8.1	High	2025-11-06
CVE-2025-62058	WordPress Houzez Theme - Functionality plugin < 4.2.0 - Cross Site Scripting (XSS) vulnerability — Houzez Theme - FunctionalityCWE-79	6.5	Medium	2025-10-22
CVE-2025-62054	WordPress Houzez Theme - Functionality plugin <= 4.1.8 - Local File Inclusion vulnerability — Houzez Theme - FunctionalityCWE-98	7.5	High	2025-10-22
CVE-2025-49952	WordPress Houzez theme <= 4.2.5 - Insecure Direct Object References (IDOR) vulnerability — HouzezCWE-639	6.5	Medium	2025-10-22
CVE-2025-49407	WordPress Houzez Theme <= 4.1.1 - Cross Site Scripting (XSS) Vulnerability — HouzezCWE-79	8.8	High	2025-08-28
CVE-2025-49405	WordPress Houzez Theme < 4.1.4 - Local File Inclusion Vulnerability — HouzezCWE-98	4.3	Medium	2025-08-28
CVE-2025-49406	WordPress Houzez Theme <= 4.1.1 - Broken Access Control Vulnerability — HouzezCWE-862	8.5	High	2025-08-20
CVE-2025-53198	WordPress Houzez theme <= 4.0.4 - Local File Inclusion Vulnerability — HouzezCWE-98	8.1	High	2025-08-20
CVE-2025-53997	WordPress Houzez theme <= 4.0.4 - Broken Access Control Vulnerability — HouzezCWE-862	4.3	Medium	2025-07-16
CVE-2025-31037	WordPress Homey theme <= 2.4.5 - Reflected Cross Site Scripting (XSS) vulnerability — HomeyCWE-79	7.1	High	2025-07-04
CVE-2025-52834	WordPress Homey theme <= 2.4.7 - SQL Injection vulnerability — HomeyCWE-89	9.3	Critical	2025-06-27
CVE-2024-51800	WordPress Homey theme <= 2.4.1 - Privilege Escalation vulnerability — HomeyCWE-266	9.8	Critical	2025-04-04
CVE-2025-24747	WordPress Houzez theme <= 3.4.0 - Broken Access Control vulnerability — HouzezCWE-862	5.3	Medium	2025-01-27
CVE-2025-24754	WordPress Houzez theme <= 3.4.0 - Broken Access Control vulnerability — HouzezCWE-862	4.3	Medium	2025-01-27
CVE-2024-51888	WordPress Homey Login Register Plugin <= 2.4.0 - Privilege Escalation vulnerability — Homey Login RegisterCWE-266	9.8	Critical	2025-01-21
CVE-2024-22303	WordPress Houzez theme <= 3.2.4 - Privilege Escalation vulnerability — HouzezCWE-266	8.8	High	2024-09-17
CVE-2024-21743	WordPress Houzez Login Register plugin <= 3.2.5 - Privilege Escalation vulnerability — Houzez Login RegisterCWE-266	8.8	High	2024-09-17
CVE-2024-43244	WordPress houzez Theme By FaveThemes <= 3.2.4 - Cross Site Scripting (XSS) vulnerability — HouzezCWE-79	7.1	High	2024-08-18
CVE-2024-5793	Houzez Theme - Functionality <= 3.2.2 - Authenticated (Seller+) SQL Injection — Houzez Theme - FunctionalityCWE-89	8.8	High	2024-07-09
CVE-2023-26540	WordPress Houzez theme <= 2.7.1 - Privilege Escalation — HouzezCWE-269	9.8	Critical	2024-05-17
CVE-2023-26009	WordPress Houzez Login Register plugin <= 2.6.3 - Privilege Escalation — Houzez Login RegisterCWE-269	9.8	Critical	2024-05-17
CVE-2023-29432	WordPress Houzez Theme < 2.8.3 is vulnerable to SQL Injection — Houzez - Real Estate WordPress ThemeCWE-89	8.2	High	2023-12-20
CVE-2023-36529	WordPress Houzez CRM Plugin <= 1.3.4 is vulnerable to SQL Injection — Houzez - Real Estate WordPress ThemeCWE-89	9.9	Critical	2023-11-03

This page lists every published CVE security advisory associated with Favethemes. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Favethemes — Vulnerabilities & Security Advisories 29