CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionNVD
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Estatik Estatik estatik allows DOM-Based XSS.This issue affects Estatik: from n/a through <= 4.3.0.
AnalysisAI
DOM-based cross-site scripting (XSS) in Estatik WordPress plugin through version 4.3.0 allows authenticated attackers with low privileges to inject malicious scripts that execute in the browsers of other users, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions with a victim's permissions. The vulnerability requires user interaction (clicking a malicious link) and affects the entire web application context. No public exploit code or active exploitation has been identified at the time of analysis, though the low EPSS score (0.02%) suggests limited real-world exploitation despite the moderate CVSS rating.
Technical ContextAI
The vulnerability stems from improper neutralization of user-controllable input during DOM manipulation in the Estatik WordPress plugin, a real estate listing and property management tool. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which indicates the plugin fails to sanitize or encode user input before inserting it into the Document Object Model. DOM-based XSS differs from reflected or stored XSS because the vulnerability exists entirely in client-side JavaScript logic, where unsanitized data flows from a source (often the URL hash or query parameters) directly into a sink (innerHTML, eval, or similar DOM-modifying methods) without server-side reflection. The CPE for the affected product is implied as a WordPress plugin named Estatik maintained by the vendor Estatik, affecting versions up to and including 4.3.0.
Affected ProductsAI
The vulnerability affects the Estatik WordPress plugin in all versions from the initial release through version 4.3.0. The affected product is the Estatik real estate listing plugin available on the WordPress plugin repository, identified through the reference link to Patchstack's WordPress vulnerability database (https://patchstack.com/database/Wordpress/Plugin/estatik/vulnerability/wordpress-estatik-plugin-4-1-13-cross-site-scripting-xss-vulnerability). WordPress sites with Estatik plugin installed at version 4.3.0 or earlier are in scope; no patch version is specified in the input data, suggesting either the fix is pending or version information was not disclosed at the time of publication.
RemediationAI
Site administrators should immediately upgrade the Estatik WordPress plugin to a patched version released after 4.3.0. Consult the Patchstack database entry and the official Estatik plugin page on the WordPress plugin repository for the latest available version and patch notes. If an upgrade is not immediately available, apply a temporary workaround by restricting plugin access to trusted administrators only, disabling the plugin until a patch is released, or implementing Web Application Firewall (WAF) rules to block suspicious DOM manipulation patterns. Site owners should audit their WordPress admin activity logs for signs of unauthorized access or suspicious link clicks. The advisory URL (https://patchstack.com/database/Wordpress/Plugin/estatik/vulnerability/wordpress-estatik-plugin-4-1-13-cross-site-scripting-xss-vulnerability) provides detailed remediation guidance and should be consulted directly.
Share
External POC / Exploit Code
Leaving vuln.today