This vulnerability stems from improper neutralization of input that permits an attacker to embed malicious scripts in content stored by the Houzez Theme ‑ Functionality plugin. When a page containing the stored payload is viewed, arbitrary JavaScript runs in the victim’s browser context. This can lead to theft of session cookies, credential hijacking, defacement, or further malicious actions performed as the visitor. Based on the description, it is inferred that the attacker can create such a payload through the plugin’s content input fields that are rendered without proper escaping. The weakness corresponds to CWE‑79 – Cross‑Site Scripting.

The flaw affects the favethemes Houzez Theme ‑ Functionality plugin in all versions up through and including 4.2.6. Any site running a vulnerable version without a patch is susceptible to stored XSS.

The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation typically requires the attacker to inject malicious content that is stored and later rendered by the plugin. This implicitly means the attacker must have write access to content or comment areas that the plugin does not sanitize. The likely attack vector is authenticated content creation or public input fields that the plugin does not cleanse. The risk is amplified if administrators grant posting permissions to untrusted users.