SQL Injection Vulnerability in Houzez Property Feed Plugin for WordPress
CVE-2026-13357
4.9MEDIUM
What is CVE-2026-13357?
The Houzez Property Feed plugin for WordPress is susceptible to SQL Injection due to improper validation of user inputs in the 'orderby' parameter. This vulnerability exists across all versions up to and including 2.5.46. The core issue lies in the insufficient escaping of user input before it is concatenated into SQL query strings. As a result, authenticated users with Administrator-level access can manipulate existing SQL queries, potentially extracting sensitive data from the database. It's crucial for organizations utilizing this plugin to assess their risk and apply necessary updates and mitigations.
Affected Version(s)
Houzez Property Feed 0 <= 2.5.46