WordPress Plugin Vulnerabilities

Essential Real Estate < 4.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description

The Essential Real Estate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ere_property_map' shortcode in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
essential-real-estate
Fixed in 4.4.3

References

CVE
CVE-2024-4273
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c62ec31a-55e9-4404-b860-fa9a51ba3d3f

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Verified
No
WPVDB ID
e1d29341-f82a-45fc-900f-ffb31e76b10b

Timeline

Publicly Published
2024-06-03 (about 1 year ago)
Added
2024-06-03 (about 1 year ago)
Last Updated
2024-07-08 (about 1 year ago)

Other

Published
Title
Published
2024-06-21
Title
WP Secure Maintenance < 1.7 - Admin+ Stored XSS
Published
2026-04-13
Title
Surbma | Booking.com < 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-06-18
Title
School Management <= 92.0.0 - Reflected Cross-Site Scripting
Published
2022-10-24
Title
Auto Upload Images < 3.3.1 - Admin+ Stored Cross-Site Scripting
Published
2022-12-16
Title
iPanorama 360 WordPress Virtual Tour Builder < 1.6.30 - Contributor+ Stored XSS