Description
The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.5.46 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the prepare_items() method of the Houzez_Property_Feed_Admin_Logs_Export_Table (and Houzez_Property_Feed_Admin_Logs_Import_Table) class. The user-controlled $_GET['orderby'] and $_GET['order'] values are filtered only with sanitize_text_field() and then concatenated into the SQL format string before $wpdb->prepare() is called — prepare() only parameterizes the appended LIMIT/OFFSET clause and cannot retroactively secure the already-tainted ORDER BY clause. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-07-02
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection when the user-supplied 'orderby' and 'order' parameters are concatenated directly into an ORDER BY clause without proper preparation. The only filtering applied is sanitize_text_field(), which leaves the resulting string exposed to injection, allowing an attacker with Administrator-level privileges to append malicious SQL to the existing query. This leads to sensitive database contents being exposed, elevating confidentiality risk. The weakness corresponds to CWE‑89, injection of SQL statements via user input.

Affected Systems

All installations of the Houzez Property Feed plugin from any release up to and including version 2.5.46 are affected. The plugin is distributed by PropertyHive under the product name Houzez Property Feed; any WordPress site deploying the plugin in these versions must verify the installed version and consider an upgrade or replacement.

Risk and Exploitability

The CVSS score of 4.9 places the vulnerability in a moderate severity range. With no EPSS value available, the exact likelihood of exploitation remains uncertain, but because the flaw requires authenticated access with Administrator or higher privileges, the attacker window is limited to privileged users. The vulnerability is not listed in CISA’s KEV catalog, suggesting that public exploit code may not yet be widespread. Nonetheless, the potential to extract arbitrary database content warrants prompt attention, especially for sites where sensitive property data is stored.

Generated by OpenCVE AI on July 2, 2026 at 12:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Houzez Property Feed to the latest release (≥ 2.5.47) or apply the vendor’s patch that removes the unsanitized ORDER BY path.
  • If an upgrade cannot be performed immediately, temporarily revoke or limit Administrator access to the plugin’s export/import and logs export features until the issue is resolved.
  • Review and tighten database access controls so that only necessary accounts can perform privileged operations, and audit other plugins or themes for similar unsanitized query construction paths.

Generated by OpenCVE AI on July 2, 2026 at 12:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.5.46 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the prepare_items() method of the Houzez_Property_Feed_Admin_Logs_Export_Table (and Houzez_Property_Feed_Admin_Logs_Import_Table) class. The user-controlled $_GET['orderby'] and $_GET['order'] values are filtered only with sanitize_text_field() and then concatenated into the SQL format string before $wpdb->prepare() is called — prepare() only parameterizes the appended LIMIT/OFFSET clause and cannot retroactively secure the already-tainted ORDER BY clause. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Houzez Property Feed <= 2.5.46 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-02T05:35:07.352Z

Reserved: 2026-06-25T18:13:25.213Z

Link: CVE-2026-13357

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T12:15:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')