CVE-2026-13357
Last modified
CVE-2026-13357 is a medium-severity vulnerability rated 4.9/10 on the CVSS scale. The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.5.46 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the prepare_items() method of the Houzez_Property_Feed_Admin_Logs_Export_Table (and Houzez_Property_Feed_Admin_Logs_Import_Table) class. The user-controlled $_GET['orderby'] and $_GET['order'] values are filtered only with sanitize_text_field() and then concatenated into the SQL format string before $wpdb->prepare() is called — prepare() only parameterizes the appended LIMIT/OFFSET clause and cannot retroactively secure the already-tainted ORDER BY clause. EPSS estimates a 0.29% chance of exploitation in the next 30 days.
Description
The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.5.46 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the prepare_items() method of the Houzez_Property_Feed_Admin_Logs_Export_Table (and Houzez_Property_Feed_Admin_Logs_Import_Table) class. The user-controlled $_GET['orderby'] and $_GET['order'] values are filtered only with sanitize_text_field() and then concatenated into the SQL format string before $wpdb->prepare() is called — prepare() only parameterizes the appended LIMIT/OFFSET clause and cannot retroactively secure the already-tainted ORDER BY clause. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| propertyhive | Houzez Property Feed | <= 2.5.46 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-13357?
How severe is CVE-2026-13357?
How do I fix CVE-2026-13357?
Related CVEs from 2026
- CVE-2026-13347The Hide My WP Lite plugin for WordPress is vulnerable to Ar…7.5
- CVE-2026-1335An Out-Of-Bounds Write vulnerability affecting the EPRT file…7.8
- CVE-2026-13350Permissions where checked incorrectly during room creation, …2.3
- CVE-2026-13351Zephyr's IPv6 network stack can be prevented from receiving …7.5
- CVE-2026-13353The WP Ultimate CSV Importer – WordPress Import & Export for…8.8
- CVE-2026-13356A malicious webpage could interrupt a pending navigation by …6.3
- CVE-2026-1336The AI ChatBot with ChatGPT and Content Generator by AYS plu…5.3
- CVE-2026-13368WatchGuard Fireware OS contains a race condition leading to …9.2
- CVE-2026-13369The Ninja Forms - File Uploads plugin for WordPress is vulne…7.5
- CVE-2026-1337Insufficient escaping of unicode characters in query log in …5.4
- CVE-2026-13371An authenticated administrator can trigger a denial-of-servi…6.9
- CVE-2026-13372Incorrect link resolution by display name in the custom Powe…7.2
Are you affected by CVE-2026-13357?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
