CVE-2025-9163 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Houzez WordPress theme developed by favethemes. The vulnerability exists in all versions up to and including 4.1.6 and is due to improper neutralization of input during web page generation. Specifically, the functions houzez_property_img_upload() and houzez_property_attachment_upload() fail to adequately sanitize and escape SVG file uploads. SVG files can contain embedded scripts, and because these files are not properly sanitized, an attacker can upload a crafted SVG file containing malicious JavaScript. When any user visits a page displaying the uploaded SVG, the malicious script executes in their browser context. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability is remotely exploitable without authentication, requiring only that the attacker upload a malicious SVG and that a user views the affected page, thus involving user interaction. The CVSS v3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, but user interaction needed, and a scope change due to impact on other components beyond the vulnerable code. No patches or official fixes are currently published, and no known exploits have been observed in the wild. The vulnerability highlights the risks of allowing SVG uploads without strict validation and the importance of output encoding to prevent XSS in web applications.

For European organizations, particularly those in the real estate sector using the Houzez WordPress theme, this vulnerability poses a significant risk to user confidentiality and data integrity. Attackers can steal session cookies or credentials, leading to account compromise or unauthorized access to sensitive information. This can result in reputational damage, loss of customer trust, and potential regulatory penalties under GDPR if personal data is exposed. The vulnerability does not directly affect availability but can facilitate further attacks that may disrupt services. Since the attack requires user interaction, phishing or social engineering could be leveraged to increase exploitation success. The widespread use of WordPress and the popularity of the Houzez theme in real estate markets across Europe amplify the potential impact. Organizations may face targeted attacks aiming to exploit this vulnerability to gain footholds in their web infrastructure or to defraud customers.

1. Immediately restrict or disable SVG file uploads in the Houzez theme until a patch is available. 2. Implement strict server-side validation and sanitization of SVG files, removing any embedded scripts or potentially dangerous elements before upload acceptance. 3. Apply output encoding and escaping on all user-supplied content, especially files rendered on web pages. 4. Deploy Content Security Policy (CSP) headers to restrict script execution sources and mitigate the impact of any injected scripts. 5. Monitor web server logs for unusual upload activity or access patterns related to SVG files. 6. Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with uploaded content. 7. Once the vendor releases a patch or update, prioritize upgrading the Houzez theme to the fixed version. 8. Consider using Web Application Firewalls (WAFs) with rules to detect and block malicious SVG payloads. 9. Regularly audit and review third-party plugins and themes for vulnerabilities and maintain an inventory of web assets to quickly respond to emerging threats.