CVE-2025-9163 is a stored cross-site scripting vulnerability identified in the Houzez WordPress theme developed by favethemes, affecting all versions up to and including 4.1.6. The vulnerability stems from insufficient sanitization and escaping of SVG file uploads handled by the houzez_property_img_upload() and houzez_property_attachment_upload() functions. SVG files can contain embedded scripts, and because the theme does not properly neutralize this input, an attacker can upload a crafted SVG file that contains malicious JavaScript code. This code is then stored on the server and executed in the context of any user who views the page containing the SVG image, leading to potential session hijacking, credential theft, or other malicious actions. The attack requires no authentication, making it accessible to unauthenticated attackers, but user interaction is necessary for the script to execute (i.e., a user must visit the affected page). The CVSS 3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, but user interaction needed. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component. Currently, there are no known exploits in the wild, and no official patches have been released at the time of publication. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation, a common cause of XSS vulnerabilities. Given the widespread use of WordPress and the popularity of the Houzez theme in real estate websites, this vulnerability could be leveraged to compromise site visitors and administrators alike.

For European organizations, especially those operating real estate platforms or websites using the Houzez theme, this vulnerability poses a significant risk to confidentiality and integrity. Attackers can inject malicious scripts that execute in users' browsers, potentially stealing session cookies, redirecting users to phishing sites, or performing actions on behalf of authenticated users. This can lead to unauthorized access, data leakage, and reputational damage. Since the vulnerability does not affect availability directly, denial of service is less of a concern. However, the compromised trust and potential data breaches could have regulatory implications under GDPR, including fines and mandatory breach notifications. The fact that no authentication is required lowers the barrier for exploitation, increasing the risk profile. Organizations with high traffic and user engagement are at greater risk of impact. Additionally, the scope change means that the vulnerability could affect other components or data beyond the immediate upload functionality, increasing the potential attack surface.

Organizations should immediately audit their WordPress installations to identify if the Houzez theme is in use and verify the version. Until an official patch is released, administrators should disable or restrict SVG file uploads, as SVGs are the attack vector. Implementing a strict whitelist of allowed file types for uploads can prevent malicious SVGs from being uploaded. Web application firewalls (WAFs) should be configured to detect and block suspicious SVG upload attempts and script injections. Employ Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of any injected scripts. Regularly monitor logs for unusual upload activity or user behavior indicative of exploitation attempts. Once patches become available, apply them promptly. Additionally, educate site administrators and users about the risks of clicking on suspicious links or interacting with untrusted content. Conduct security testing and code reviews focusing on input sanitization and output encoding in custom theme functions. Consider disabling SVG support entirely if not essential.