WordPress Plugin Vulnerabilities

Essential WP Real Estate <= 1.1.3 - Reflected XSS

Description

The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.

Proof of Concept

Affects Plugins

Plugin icon
essential-wp-real-estate
No known fix

References

CVE
CVE-2024-13347

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Hassan Khan Yusufzai - Splint3r7
Submitter
Hassan Khan Yusufzai - Splint3r7
Submitter website
https://hassankhanyusufzai.com
Submitter twitter
Splint3r7
Verified
Yes
WPVDB ID
e2f97636-4c67-409a-83c6-ad6255aa2cc5

Timeline

Publicly Published
2025-01-13 (about 11 months ago)
Added
2025-01-13 (about 11 months ago)
Last Updated
2025-01-13 (about 11 months ago)

Other

Published
Title
Published
2022-02-10
Title
Social Media Feather < 2.0.5 - Admin+ Stored Cross-Site Scripting
Published
2024-01-12
Title
WP SMS < 6.5.2 - Contributor+ Stored Cross-Site Scripting
Published
2015-04-21
Title
WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2025-01-28
Title
Simple Image Sizes < 3.2.3 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2024-02-12
Title
TNC PDF viewer < 2.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode