CVE-2026-13357
WordPress Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-13357 is a SQL Injection vulnerability in the Houzez Property Feed plugin for WordPress, affecting all versions up to and including 2.5.46. The flaw exists in the prepare_items() method of the Houzez_Property_Feed_Admin_Logs_Export_Table and Houzez_Property_Feed_Admin_Logs_Import_Table classes, where user-supplied orderby and order GET parameters are insufficiently sanitized before being concatenated into SQL queries. It was published on July 2, 2026, with a patch made available the same day. The vulnerability carries a CVSS v3.1 base score of 4.9 (Medium) (GitHub Advisory).

Détails techniques

The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The user-controlled $_GET['orderby'] and $_GET['order'] values are filtered only with WordPress's sanitize_text_field() — which strips HTML tags but does not prevent SQL injection — and then concatenated directly into the SQL format string before $wpdb->prepare() is called. Because prepare() only parameterizes the subsequently appended LIMIT/OFFSET clause, it cannot retroactively sanitize the already-tainted ORDER BY clause, leaving it open to SQL injection. The vulnerable code is located in class-houzez-property-feed-admin-logs-export-table.php (lines 205 and 219) and class-houzez-property-feed-admin.php (lines 138 and 587) (GitHub Advisory).

Impact

Successful exploitation allows an authenticated attacker with Administrator-level access to append arbitrary SQL queries to existing database queries, enabling extraction of sensitive information from the WordPress database — including user credentials, configuration data, and other stored content. The impact is limited to confidentiality (no integrity or availability impact), and exploitation requires high privileges, reducing the overall risk. However, database contents exposed through this vector could facilitate further attacks such as credential theft or privilege escalation (GitHub Advisory).

Étapes d’exploitation

  1. Authentication: Log in to the WordPress admin panel with an account holding Administrator-level privileges or higher.
  2. Identify vulnerable endpoint: Navigate to the Houzez Property Feed admin logs page (export or import table view), which invokes the prepare_items() method of the vulnerable class.
  3. Craft malicious request: Append a SQL injection payload to the orderby GET parameter in the URL, e.g., ?orderby=column_name,(SELECT+SLEEP(5))-- or a UNION-based payload to extract data, since sanitize_text_field() does not strip SQL syntax.
  4. Bypass prepare(): Because the tainted ORDER BY clause is concatenated into the SQL string before $wpdb->prepare() is called, the injected SQL is evaluated by the database engine without parameterization.
  5. Extract data: Use time-based blind or UNION-based SQL injection techniques to enumerate database tables, extract WordPress user hashes, or retrieve other sensitive configuration data from the database (GitHub Advisory).

Indicateurs de compromis

  • Network: HTTP GET requests to the Houzez Property Feed admin logs page containing unusual or encoded SQL syntax in the orderby or order query parameters (e.g., UNION, SELECT, SLEEP, --, %27).
  • Logs: WordPress or web server access logs showing repeated requests to the plugin's admin log export/import table endpoints with anomalous orderby parameter values; database error logs indicating malformed SQL queries.
  • Database: Unexpected or unauthorized queries in the MySQL general query log involving ORDER BY clauses with injected SQL fragments originating from the WordPress admin interface.

Atténuation et solutions de contournement

Update the Houzez Property Feed plugin to a version released after 2.5.46, which addresses the SQL injection by properly parameterizing all components of the SQL query, including the ORDER BY clause. The patch is referenced in the WordPress plugin changeset (GitHub Advisory). As an interim measure, restrict Administrator-level access to trusted users only and monitor database access logs for suspicious SQL query patterns. Implementing a Web Application Firewall (WAF) rule to block SQL keywords in GET parameters can provide additional defense-in-depth.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté WordPress Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-5821HIGH8.1
  • image-optimization
NonOuiJul 02, 2026
CVE-2026-14249HIGH7.5
  • request-a-quote
NonOuiJul 02, 2026
CVE-2026-13704MEDIUM6.4
  • give
NonOuiJul 02, 2026
CVE-2026-5348MEDIUM5.3
  • academy
NonOuiJul 02, 2026
CVE-2026-13357MEDIUM4.9
  • houzez-property-feed
NonOuiJul 02, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités