Stored Cross-Site Scripting in Houzez Theme for WordPress
CVE-2025-9163

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Houzez
Vendor: CVE Published:; 26 November 2025

What is CVE-2025-9163?

The Houzez theme for WordPress has a significant vulnerability allowing stored Cross-Site Scripting (XSS) due to inadequate input validation and output encoding mechanisms during SVG file uploads. This flaw affects all versions of the theme up to and including 4.1.6. As a result, unauthenticated attackers could exploit this vulnerability to embed malicious scripts within uploaded SVG files. When users later access these files, their browsers will execute the harmful scripts, potentially leading to unauthorized actions and data exposure.

Affected Version(s)

Houzez * <= 4.1.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://favethemes.zendesk.com/hc/en-us/articles/36004163...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 26, 2025
Vulnerability Reserved
Aug 19, 2025

Credit

Alex Thomas

JSON