CVE-2025-49402: 
WordPress vulnerability analysis and mitigation

Missing Authorization vulnerability (CVE-2025-49402) affects the Houzez CRM WordPress plugin versions up to and including 1.4.7. The vulnerability was discovered and reported by Rafie Muhammad from Patchstack on August 27, 2025. This security issue involves incorrectly configured access control security levels that could allow authenticated users with subscriber-level access to perform unauthorized actions (Rapid7, Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The attack vector is network-based, requires low attack complexity, needs low privileges, and no user interaction. The scope is unchanged, with high impact on confidentiality but no impact on integrity or availability. The vulnerability is classified as CWE-862 (Missing Authorization) (NVD, AttackerKB).

The vulnerability allows authenticated attackers with Subscriber-level access and above to perform unauthorized actions within the Houzez CRM plugin. This could potentially lead to unauthorized access to sensitive information due to the high confidentiality impact indicated in the CVSS score (Rapid7).

The vulnerability has been fixed in version 1.5.0 of the Houzez CRM plugin. Users are advised to update to version 1.5.0 or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).