
PEACH
Un cadre d’isolation des locataires
CVE-2026-13357 is a SQL Injection vulnerability in the Houzez Property Feed plugin for WordPress, affecting all versions up to and including 2.5.46. The flaw exists in the prepare_items() method of the Houzez_Property_Feed_Admin_Logs_Export_Table and Houzez_Property_Feed_Admin_Logs_Import_Table classes, where user-supplied orderby and order GET parameters are insufficiently sanitized before being concatenated into SQL queries. It was published on July 2, 2026, with a patch made available the same day. The vulnerability carries a CVSS v3.1 base score of 4.9 (Medium) (GitHub Advisory).
The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The user-controlled $_GET['orderby'] and $_GET['order'] values are filtered only with WordPress's sanitize_text_field() — which strips HTML tags but does not prevent SQL injection — and then concatenated directly into the SQL format string before $wpdb->prepare() is called. Because prepare() only parameterizes the subsequently appended LIMIT/OFFSET clause, it cannot retroactively sanitize the already-tainted ORDER BY clause, leaving it open to SQL injection. The vulnerable code is located in class-houzez-property-feed-admin-logs-export-table.php (lines 205 and 219) and class-houzez-property-feed-admin.php (lines 138 and 587) (GitHub Advisory).
Successful exploitation allows an authenticated attacker with Administrator-level access to append arbitrary SQL queries to existing database queries, enabling extraction of sensitive information from the WordPress database — including user credentials, configuration data, and other stored content. The impact is limited to confidentiality (no integrity or availability impact), and exploitation requires high privileges, reducing the overall risk. However, database contents exposed through this vector could facilitate further attacks such as credential theft or privilege escalation (GitHub Advisory).
prepare_items() method of the vulnerable class.orderby GET parameter in the URL, e.g., ?orderby=column_name,(SELECT+SLEEP(5))-- or a UNION-based payload to extract data, since sanitize_text_field() does not strip SQL syntax.ORDER BY clause is concatenated into the SQL string before $wpdb->prepare() is called, the injected SQL is evaluated by the database engine without parameterization.orderby or order query parameters (e.g., UNION, SELECT, SLEEP, --, %27).orderby parameter values; database error logs indicating malformed SQL queries.ORDER BY clauses with injected SQL fragments originating from the WordPress admin interface.Update the Houzez Property Feed plugin to a version released after 2.5.46, which addresses the SQL injection by properly parameterizing all components of the SQL query, including the ORDER BY clause. The patch is referenced in the WordPress plugin changeset (GitHub Advisory). As an interim measure, restrict Administrator-level access to trusted users only and monitor database access logs for suspicious SQL query patterns. Implementing a Web Application Firewall (WAF) rule to block SQL keywords in GET parameters can provide additional defense-in-depth.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."