Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality.This issue affects Houzez Theme - Functionality: from n/a through < 4.2.0.
Published: 2025-11-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An injection flaw exists in the favethemes Houzez Theme - Functionality plugin that allows arbitrary script code to be embedded into generated web pages. The flaw is an example of improper neutralization of input during page rendering (CWE‑79). Exploitation of this vulnerability could enable an attacker to inject client‑side scripts, potentially leading to session hijacking, cookie theft, defacement, or delivery of malicious payloads to site visitors. The impact is confined to web clients and does not provide a direct path to server compromise or data exfiltration on its own.

Affected Systems

The vulnerability affects any installation of the WordPress Houzez Theme - Functionality plugin from any version prior to 4.2.0. The plugin is provided by favethemes under the product name Houzez Theme - Functionality.

Risk and Exploitability

The vulnerability’s CVSS score of 7.1 places it in the medium‑to‑high severity range. The EPSS score is below 1%, indicating that, as of current data, exploitation rates are low. The flaw is not listed in CISA’s KEV catalog. Likely exploitation would involve a malicious attacker crafting a URL or exploiting a content field to inject script that executes within a victim’s browser when they view the compromised page.

Generated by OpenCVE AI on April 29, 2026 at 16:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Houzez Theme - Functionality plugin to version 4.2.0 or later.
  • If the plugin is not essential, remove or disable it entirely to eliminate the vulnerability.
  • Implement a Web Application Firewall (WAF) rule or an input‑validation routine to filter or encode any data passed to the plugin, ensuring that user supplied content cannot inject scripts.

Generated by OpenCVE AI on April 29, 2026 at 16:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Fri, 07 Nov 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Favethemes
Favethemes houzez
Wordpress
Wordpress wordpress
Vendors & Products Favethemes
Favethemes houzez
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality.This issue affects Houzez Theme - Functionality: from n/a through < 4.2.0.
Title WordPress Houzez Theme - Functionality plugin < 4.2.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Favethemes Houzez
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:51:52.727Z

Reserved: 2025-10-07T15:34:37.452Z

Link: CVE-2025-62057

cve-icon Vulnrichment

Updated: 2025-11-06T17:56:25.997Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:16:12.030

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-62057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:15:15Z

Weaknesses