Plattform
wordpress
Komponente
houzez-property-feed
Behoben in
2.5.4
CVE-2025-30793 describes an Arbitrary File Access vulnerability within the Houzez Property Feed plugin for WordPress. This flaw allows attackers to potentially read arbitrary files on the server by manipulating file paths, leading to exposure of sensitive data. The vulnerability impacts versions 0.0 through 2.5.4 of the plugin. A patch has been released in version 2.5.4.
An attacker exploiting this vulnerability could read sensitive files from the web server's file system. This could include configuration files containing database credentials, private keys, or source code. Successful exploitation could lead to complete compromise of the WordPress instance and potentially the underlying server. The impact is amplified if the server hosts other sensitive applications or data. While the vulnerability is classified as Arbitrary File Access, the potential for data exfiltration and system compromise is significant.
This vulnerability was publicly disclosed on April 1, 2025. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. The relatively low profile of the plugin may limit its immediate exploitation, but it remains a significant risk for sites using it.
WordPress sites using the Houzez Property Feed plugin, particularly those running older versions (0.0 - 2.5.4), are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to access to files on other sites.
• wordpress / composer / npm:
grep -r "../" /var/www/html/houzez-property-feed/*• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/houzez-property-feed/../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.50% (66% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the Houzez Property Feed plugin to version 2.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Carefully review file permissions on the server to ensure that the web server user has minimal access to sensitive files. Monitor web server access logs for suspicious requests containing path traversal attempts. After upgrade, confirm the vulnerability is resolved by attempting to access a non-public file via a crafted URL.
Actualice el plugin Houzez Property Feed a la versión 2.5.4 o superior para mitigar la vulnerabilidad de recorrido de ruta. Esta actualización aborda la falta de restricciones en la ruta del archivo, previniendo el acceso no autorizado a archivos sensibles en el servidor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-30793 is a HIGH severity vulnerability in the Houzez Property Feed WordPress plugin allowing attackers to read sensitive files via path traversal. It affects versions 0.0 through 2.5.4.
If you are using Houzez Property Feed version 0.0 to 2.5.4 on your WordPress site, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade the Houzez Property Feed plugin to version 2.5.4 or later to resolve the Arbitrary File Access vulnerability. Consider WAF rules as a temporary mitigation.
As of the current date, there are no confirmed reports of active exploitation of CVE-2025-30793, but the vulnerability is publicly known and could be targeted.
Refer to the official Houzez Property Feed plugin documentation and website for the latest security advisories and updates related to CVE-2025-30793.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.