Impact
The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection when the user-supplied 'orderby' and 'order' parameters are concatenated directly into an ORDER BY clause without proper preparation. The only filtering applied is sanitize_text_field(), which leaves the resulting string exposed to injection, allowing an attacker with Administrator-level privileges to append malicious SQL to the existing query. This leads to sensitive database contents being exposed, elevating confidentiality risk. The weakness corresponds to CWE‑89, injection of SQL statements via user input.
Affected Systems
All installations of the Houzez Property Feed plugin from any release up to and including version 2.5.46 are affected. The plugin is distributed by PropertyHive under the product name Houzez Property Feed; any WordPress site deploying the plugin in these versions must verify the installed version and consider an upgrade or replacement.
Risk and Exploitability
The CVSS score of 4.9 places the vulnerability in a moderate severity range. With no EPSS value available, the exact likelihood of exploitation remains uncertain, but because the flaw requires authenticated access with Administrator or higher privileges, the attacker window is limited to privileged users. The vulnerability is not listed in CISA’s KEV catalog, suggesting that public exploit code may not yet be widespread. Nonetheless, the potential to extract arbitrary database content warrants prompt attention, especially for sites where sensitive property data is stored.
OpenCVE Enrichment