Themes Vulnerabilities

Houzez < 1.8.4 - Unauthenticated Cross-Site Scripting (XSS)

Description

Two Reflected XSS vulnerability were discovered in the «Houzez - Real Estate WordPress Theme», tested version — v1.8.3.1

Edit (WPScanTeam):
January 11th, 2020 - Report received & Envato Contacted
January 12th, 2020 - Envato Investigating
January 27th, 2020 - v1.8.4 released, fixing the issue.

Proof of Concept

Affects Themes

houzez
Fixed in 1.8.4

References

URL
https://help.houzez.co/changelog/
URL
https://themeforest.net/item/houzez-real-estate-wordpress-theme/15752549

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
m0ze
Submitter
m0ze
Submitter twitter
m0ze_ru
Verified
Yes
WPVDB ID
c688c961-0cac-41fb-83ea-1cc5d42e0203

Timeline

Publicly Published
2020-01-11 (about 6 years ago)
Added
2020-01-28 (about 6 years ago)
Last Updated
2020-02-10 (about 6 years ago)

Other

Published
Title
Published
2024-10-17
Title
Easy Menu Manager | WPZest <= 1.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2025-09-05
Title
Smooth Accordion <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-14
Title
WP Headmaster <= 0.3 - Reflected Cross-Site Scripting
Published
2024-04-29
Title
Inline Google Spreadsheet Viewer <= 0.13.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2021-11-12
Title
GRAND FlaGallery <= 6.1.2 - Admin+ Stored Cross-Site Scripting