WWordPress Vulnerability Database

Hong Kong Security Alert Houzez Theme XSS(CVE20259163)

Cross Site Scripting (XSS) in WordPress Houzez Theme
0
Shares
0
0
0
0






Unauthenticated Stored XSS in Houzez Theme (<= 4.1.6) via SVG Upload — What WordPress Owners Must Do Now


Plugin Name Houzez
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2025-9163
Urgency Medium
CVE Publish Date 2025-11-30
Source URL CVE-2025-9163

Unauthenticated Stored XSS in Houzez Theme (≤ 4.1.6) via SVG Upload — What WordPress Owners Must Do Now

By a Hong Kong WordPress security expert — 2025-11-27

A recently disclosed vulnerability affecting the Houzez WordPress theme (versions up to and including 4.1.6) lets unauthenticated attackers upload malicious SVG files that are stored and later rendered, enabling persistent (stored) cross-site scripting (XSS). The issue has been assigned CVE-2025-9163 and a CVSS base score of 7.1 (Medium). A fix was released in Houzez 4.1.7, but many sites still run older versions and remain exposed.

This article explains, in clear technical terms and with practical steps, how the vulnerability works, the real risks to your site and users, and what to do immediately and in the longer term. If you manage WordPress sites using Houzez or any site that accepts SVG uploads from untrusted users, read and act promptly.

Quick summary (for time-pressed site owners)

  • Vulnerability: Unauthenticated stored XSS via SVG file upload in Houzez theme ≤ 4.1.6
  • CVE: CVE-2025-9163
  • Severity: Medium (CVSS 7.1)
  • Impact: Persistent XSS — attackers can inject JavaScript executed whenever the uploaded SVG is rendered. Potential outcomes include session hijacking, content injection, redirects, and backdoors.
  • Fixed in: Houzez 4.1.7 — update immediately if practicable.
  • Immediate mitigations if you cannot update right away:
    • Disable SVG uploads or restrict uploads to trusted, authenticated roles.
    • Enforce server-side SVG sanitization or convert SVG uploads to raster images.
    • Deploy targeted rules on your WAF or server to block suspicious SVG uploads and inline script attributes.
    • Tighten Content-Security-Policy and related headers to reduce impact.
    • Scan uploads and the database for suspicious SVG files or payloads and remove them.

How the vulnerability works (technical explanation)

SVG (Scalable Vector Graphics) is an XML-based image format that supports shapes, styles and script execution via embedded JavaScript. If an application accepts and stores SVG files and later outputs their content in a way the browser interprets as inline markup (for example, embedding SVG markup directly into pages or serving it with a content type that allows inline rendering), an attacker can include executable JavaScript inside the SVG. When another user or an administrator views the page, the script runs in the site’s origin context, causing a stored XSS condition.

In this specific issue:

  • The theme allowed uploading SVG files without adequate sanitization or validation.
  • Uploaded SVGs could contain JavaScript, inline event attributes (onload, onclick, etc.) or