CVE-2025-9163 Overview
CVE-2025-9163 is a Stored Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting the Houzez theme for WordPress in all versions up to and including 4.1.6. The flaw resides in the houzez_property_img_upload() and houzez_property_attachment_upload() functions, which fail to properly sanitize input and escape output when handling Scalable Vector Graphics (SVG) file uploads. Unauthenticated attackers can upload SVG files containing arbitrary JavaScript. When a user later accesses the uploaded SVG file, the embedded script executes in the browser context of the WordPress site.
Critical Impact
Unauthenticated attackers can inject arbitrary JavaScript that executes in the browser of any user viewing the malicious SVG, enabling session theft, phishing, and drive-by redirects.
Affected Products
- Houzez theme for WordPress by FaveThemes
- All versions up to and including 4.1.6
- WordPress sites accepting SVG uploads through Houzez property listing forms
Discovery Timeline
- 2025-11-26 - CVE-2025-9163 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9163
Vulnerability Analysis
The Houzez theme provides real estate listing functionality for WordPress, including front-end property submission forms that allow users to upload images and attachments. Two functions handle these uploads: houzez_property_img_upload() for property images and houzez_property_attachment_upload() for property attachments. Both functions accept SVG files without stripping embedded scripting content.
SVG is an XML-based image format that supports embedded <script> elements and JavaScript event handlers such as onload. When a browser renders an SVG directly, it executes any embedded scripts within the origin of the hosting domain. This makes SVG uploads a well-known vector for stored XSS when servers do not sanitize the file contents.
Because the upload handlers do not require authentication, remote attackers can submit malicious SVG payloads through the public property submission workflow. The payload persists on the server and executes each time a victim opens the file URL.
Root Cause
The upload functions perform insufficient input sanitization and output escaping. They validate that the uploaded file has an SVG extension or MIME type but do not parse the XML content to strip <script> tags, event handlers, or javascript: URIs before storing the file in the WordPress uploads directory.
Attack Vector
An unauthenticated attacker crafts an SVG file containing JavaScript, submits it through a Houzez property submission form, and then distributes the resulting file URL to victims. User interaction is required — the victim must open or preview the SVG. When the file loads, the embedded script executes with the privileges of the victim's session on the WordPress domain. Technical details are described in the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-9163
Indicators of Compromise
- SVG files in the /wp-content/uploads/ directory containing <script> tags, onload= attributes, or javascript: URIs
- Unexpected SVG files uploaded through anonymous or unauthenticated sessions
- Web server access logs showing POST requests to Houzez upload endpoints from unauthenticated clients followed by GET requests to the resulting SVG paths
Detection Strategies
- Scan the WordPress uploads directory for SVG files and inspect their XML content for scripting constructs
- Review WordPress media library entries created by unauthenticated or low-privilege users for SVG attachments
- Correlate uploads to houzez_property_img_upload() and houzez_property_attachment_upload() endpoints with subsequent SVG retrievals from external IPs
Monitoring Recommendations
- Enable WordPress audit logging to record file uploads with user, timestamp, and file hash
- Monitor web application firewall (WAF) alerts for XSS payloads in multipart form data targeting Houzez endpoints
- Alert on any SVG file served with Content-Type: image/svg+xml that contains inline JavaScript
How to Mitigate CVE-2025-9163
Immediate Actions Required
- Update the Houzez theme to a version later than 4.1.6 once the vendor releases a fix, tracked in the FaveThemes Changelog
- Disable SVG uploads site-wide if the theme cannot be updated immediately
- Audit the uploads directory and remove any SVG files containing script content
Patch Information
Refer to the FaveThemes Changelog for the fixed release. Verify that the patched version sanitizes SVG content in both houzez_property_img_upload() and houzez_property_attachment_upload().
Workarounds
- Configure the web server to serve SVG files with Content-Disposition: attachment to prevent inline rendering
- Restrict the allowed MIME types in WordPress to exclude image/svg+xml until the theme is patched
- Place a WAF rule in front of the Houzez upload endpoints to block requests containing <script, onload=, or javascript: inside multipart bodies
- Require authentication for property submission forms to reduce anonymous exposure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

