{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9163", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-19T13:18:40.338Z", "datePublished": "2025-11-26T12:30:05.001Z", "dateUpdated": "2026-04-08T17:28:48.714Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:48.714Z"}, "affected": [{"vendor": "favethemes", "product": "Houzez", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzez_property_img_upload() and houzez_property_attachment_upload() functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "title": "Houzez <= 4.1.6 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0e177f3-fb24-4dd5-80d5-19b113d5f527?source=cve"}, {"url": "https://favethemes.zendesk.com/hc/en-us/articles/360041639432-Changelog"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Alex Thomas"}], "timeline": [{"time": "2025-11-26T00:01:12.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-26T13:57:52.333469Z", "id": "CVE-2025-9163", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-26T13:59:31.502Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9163", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-26T13:57:52.333469Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-26T13:59:12.431Z"}}], "cna": {"title": "Houzez <= 4.1.6 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Alex Thomas"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "favethemes", "product": "Houzez", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.1.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-26T00:01:12.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0e177f3-fb24-4dd5-80d5-19b113d5f527?source=cve"}, {"url": "https://favethemes.zendesk.com/hc/en-us/articles/360041639432-Changelog"}], "descriptions": [{"lang": "en", "value": "The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzez_property_img_upload() and houzez_property_attachment_upload() functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-26T12:30:05.001Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9163", "state": "PUBLISHED", "dateUpdated": "2025-11-26T13:59:31.502Z", "dateReserved": "2025-08-19T13:18:40.338Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-26T12:30:05.001Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzez_property_img_upload() and houzez_property_attachment_upload() functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "id": "CVE-2025-9163", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-26T13:16:00.683", "references": [{"source": "security@wordfence.com", "url": "https://favethemes.zendesk.com/hc/en-us/articles/360041639432-Changelog"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0e177f3-fb24-4dd5-80d5-19b113d5f527?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T18:59:28.348938+00:00", "value": {"mitigation_remediation": ["Upgrade the Houzez theme to a version newer than 4.1.6 or apply an official patch once available.", "Disable SVG file uploads in the theme settings or by configuring WordPress to block the SVG MIME type.", "Implement server\u2011side validation for SVG files, stripping or refusing any embedded script tags or JavaScript before accepting the upload."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects sites running the Houzez theme for WordPress version 4.1.6 and earlier. The theme is distributed by favethemes under the product name Houzez. The specific functions responsible for the flaw are houzez_property_img_upload() and houzez_property_attachment_upload(). No other vendors or products are listed as affected. If a site is using any of these versions, it is at risk.", "description_and_impact": "The Houzez WordPress theme contains a stored cross\u2011site scripting vulnerability that allows unauthenticated users to upload SVG files containing malicious JavaScript. When an attacker uploads such a file, the scripting code is stored and executed in the browser whenever the SVG is viewed, potentially enabling session hijacking, defacement or malicious redirect of site visitors. This flaw is caused by insufficient input sanitization and output escaping in the theme\u2019s file\u2011upload functions, classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score is 6.1 indicating a moderate level of impact. The EPSS score is less than 1%, suggesting that exploitation likelihood is low at present. The vulnerability is not listed in the CISA KEV catalog. Attackers do not need any user credentials; they simply need access to the file\u2011upload interface for a website using the affected theme. Once an SVG file is uploaded, the malicious script will run in the browsers of any user who opens that file, which can provide an attacker with significant avenues for credential theft or defacement. Because the flaw permits arbitrary script execution, it is highly dangerous in a trusted site environment."}}}}, "created": "2025-11-27T16:26:41.779252+00:00", "updated": "2026-04-20T19:00:10.704087+00:00", "vendors": ["favethemes", "favethemes$PRODUCT$houzez", "wordpress", "wordpress$PRODUCT$wordpress"]}