SQL Injection Vulnerability in Houzez Property Feed Plugin for WordPress
CVE-2026-13357

4.9MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
2 July 2026

What is CVE-2026-13357?

The Houzez Property Feed plugin for WordPress is susceptible to SQL Injection due to improper validation of user inputs in the 'orderby' parameter. This vulnerability exists across all versions up to and including 2.5.46. The core issue lies in the insufficient escaping of user input before it is concatenated into SQL query strings. As a result, authenticated users with Administrator-level access can manipulate existing SQL queries, potentially extracting sensitive data from the database. It's crucial for organizations utilizing this plugin to assess their risk and apply necessary updates and mitigations.

Affected Version(s)

Houzez Property Feed 0 <= 2.5.46

References

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.