Platform
wordpress
Component
houzez-property-feed
Fixed in
2.5.4
CVE-2025-30793 describes an Arbitrary File Access vulnerability within the Houzez Property Feed WordPress plugin. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths, bypassing intended access controls. The vulnerability impacts versions 0.0 through 2.5.4 of the plugin. A patch has been released in version 2.5.4.
The Arbitrary File Access vulnerability allows an attacker to read any file accessible to the web server process. This could include configuration files containing database credentials, API keys, or other sensitive information. Successful exploitation could lead to complete compromise of the WordPress site and potentially the underlying server. While the description doesn't explicitly mention it, the ability to read server files could be leveraged for further attacks, such as code execution if configuration files contain vulnerable scripts or credentials for other services.
This CVE was published on 2025-04-01. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability's severity is rated HIGH (CVSS 7.5), indicating a significant risk. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.50% (66% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Houzez Property Feed plugin to version 2.5.4 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on sensitive files to the web server user to minimize potential damage. Regularly review WordPress plugin installations and ensure they are from trusted sources.
Actualice el plugin Houzez Property Feed a la versión 2.5.4 o superior para mitigar la vulnerabilidad de recorrido de ruta. Esta actualización aborda la falta de restricciones en la ruta del archivo, previniendo el acceso no autorizado a archivos sensibles en el servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30793 is a HIGH severity vulnerability in the Houzez Property Feed WordPress plugin allowing attackers to read sensitive files via path traversal. It affects versions 0.0 through 2.5.4.
If you are using Houzez Property Feed version 0.0 to 2.5.4 on your WordPress site, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade the Houzez Property Feed plugin to version 2.5.4 or later to resolve the Arbitrary File Access vulnerability. Consider WAF rules as a temporary mitigation.
As of the current date, there are no confirmed reports of active exploitation of CVE-2025-30793, but the vulnerability is publicly known and could be targeted.
Refer to the official Houzez Property Feed plugin documentation and website for the latest security advisories and updates related to CVE-2025-30793.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.