CVE-2025-9163 is a stored cross-site scripting vulnerability identified in the Houzez WordPress theme, a popular real estate theme developed by favethemes. The vulnerability exists in all versions up to and including 4.1.6, caused by insufficient sanitization and escaping of SVG file uploads in the houzez_property_img_upload() and houzez_property_attachment_upload() functions. SVG files can embed JavaScript, and because the theme does not properly neutralize this input, attackers can upload malicious SVG files containing arbitrary scripts. These scripts execute in the context of any user who views the page containing the uploaded SVG, enabling attacks such as session hijacking, credential theft, or unauthorized actions on behalf of the user. The vulnerability is exploitable remotely without authentication, requiring only user interaction to visit the affected page. The CVSS 3.1 score of 6.1 reflects a medium severity, with attack vector network, low attack complexity, no privileges required, user interaction required, and scope changed due to impact on user sessions. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights the risks of improper input validation and output encoding in web applications, especially when handling complex file types like SVGs that can contain active content.

The primary impact of this vulnerability is on the confidentiality and integrity of user data and sessions. Attackers can execute arbitrary JavaScript in the context of the affected website, potentially stealing cookies, session tokens, or performing actions on behalf of authenticated users. This can lead to account compromise, data leakage, or unauthorized changes to user data. Although availability is not directly impacted, the trustworthiness of the affected website is compromised, which can damage reputation and user confidence. Organizations running websites with the Houzez theme, particularly those in the real estate sector, may face targeted attacks aiming to exploit this vulnerability to gain access to user accounts or inject malicious content. Because the exploit requires only uploading a crafted SVG file and user interaction, it can be leveraged in phishing or social engineering campaigns. The vulnerability affects all installations using vulnerable versions, which may be widespread given the popularity of WordPress and the Houzez theme in real estate markets worldwide.

1. Immediately update the Houzez theme to a patched version once available from the vendor to ensure proper sanitization and escaping of SVG uploads. 2. Until an official patch is released, disable SVG file uploads or restrict file upload types to exclude SVGs to prevent malicious content uploads. 3. Implement server-side validation and sanitization of uploaded SVG files using specialized libraries that remove or neutralize embedded scripts and active content. 4. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 5. Limit upload permissions to trusted users only and monitor upload activity for suspicious files. 6. Educate users to avoid clicking on suspicious links or visiting untrusted pages that may contain malicious SVG content. 7. Regularly audit and scan the website for malicious files or injected scripts using security plugins or external tools. 8. Consider implementing Web Application Firewalls (WAF) with rules to detect and block XSS payloads in uploads and requests.