CVE-2025-30793: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2025-30793) is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability discovered in Property Hive Houzez Property Feed plugin versions through 2.5.4. The vulnerability was disclosed on March 29, 2025, and affects the WordPress plugin Houzez Property Feed (Patchstack).

The vulnerability is classified as a Path Traversal issue that enables arbitrary file download functionality. It has received a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

This vulnerability could allow a malicious actor to download any file from the affected website, including sensitive files containing login credentials or backup files. The impact primarily affects the confidentiality of the system, with high potential for unauthorized access to sensitive information (Patchstack).

The vulnerability has been fixed in version 2.5.5 of the Houzez Property Feed plugin. Users are advised to update to version 2.5.5 or later immediately. For Patchstack users, a virtual patch has been issued to mitigate this issue by blocking any attacks until the update to a fixed version is completed (Patchstack).