Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality.This issue affects Houzez Theme - Functionality: from n/a through < 4.2.0.
Published: 2025-10-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Houzez Theme - Functionality plugin for WordPress contains an improper neutralization of input during web page generation vulnerability (CWE‑79). The flaw allows injection of arbitrary JavaScript when user‑supplied data is rendered without adequate sanitization, enabling code to run in visitors' browsers.

Affected Systems

WordPress sites that use the Houzez Theme‑Functionality plugin from any earlier version through pre‑4.2.0 are affected; all installations running a version older than 4.2.0 are vulnerable.

Risk and Exploitability

The CVSS base score of 6.5 classifies the flaw as medium severity. The EPSS score suggests exploitation likelihood is less than 1 percent, indicating low probability of widespread attacks. It is not listed in the CISA KEV catalog. The attack vector is likely through any page input or form processed by the plugin, and the vulnerability can be triggered without user authentication, meaning a visitor could potentially exploit it.

Generated by OpenCVE AI on April 29, 2026 at 20:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Houzez Theme - Functionality plugin to version 4.2.0 or later.
  • Apply a web application firewall or input filtering to block malicious script payloads that the plugin processes.
  • If upgrade cannot be performed, remove or permanently disable the plugin from the WordPress site.

Generated by OpenCVE AI on April 29, 2026 at 20:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Favethemes
Favethemes houzez
Wordpress
Wordpress wordpress
Vendors & Products Favethemes
Favethemes houzez
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality.This issue affects Houzez Theme - Functionality: from n/a through < 4.2.0.
Title WordPress Houzez Theme - Functionality plugin < 4.2.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Favethemes Houzez
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:52:01.727Z

Reserved: 2025-10-07T15:34:37.452Z

Link: CVE-2025-62058

cve-icon Vulnrichment

Updated: 2025-10-23T14:30:31.788Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:16:04.930

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-62058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:00:09Z

Weaknesses