Skip to main content

Immonex Kickstart CVE-2026-31918

| EUVDEUVD-2026-11794 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-13 Patchstack
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11794
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:41 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in immonex immonex Kickstart immonex-kickstart allows Stored XSS.This issue affects immonex Kickstart: from n/a through <= 1.13.0.

AnalysisAI

A Stored Cross-Site Scripting (XSS) vulnerability exists in immonex Kickstart through version 1.13.0, allowing authenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of other users who view the affected content. An attacker with login credentials can craft malicious input that bypasses input sanitization during web page generation, resulting in arbitrary JavaScript execution with access to session cookies, user data, and the ability to perform actions on behalf of victims. While no KEV or widespread exploitation data is available for this CVE, the vulnerability is exploitable with low attack complexity and requires only user interaction (UI click), making it a moderate-to-high priority for organizations running immonex Kickstart.

Technical ContextAI

The vulnerability stems from improper neutralization of user-supplied input in the immonex Kickstart application, a real estate management and website builder platform. immonex Kickstart is a WordPress plugin and framework (CPE references indicate cpe:2.3:a:immonex:immonex_kickstart) that handles dynamic content generation for property listings and real estate websites. The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-controllable data is directly embedded into HTML output without proper encoding or escaping. The plugin fails to sanitize user input at the point of data insertion into the DOM, allowing attackers to inject script tags or event handlers that execute in the context of other users' sessions. This is particularly dangerous in multi-user real estate platforms where agents and administrators collaborate on property listings.

RemediationAI

Immediately upgrade immonex Kickstart to the latest patched version (1.13.1 or later, pending vendor release confirmation). Check the immonex official security advisory at https://immonex.de or the WordPress plugin repository at https://wordpress.org/plugins/immonex-kickstart/ for the specific patched version number and upgrade instructions. Until patching is feasible, implement input validation and output encoding at the application level by enabling WordPress security plugins such as Wordfence or Sucuri that provide XSS filtering and Content Security Policy (CSP) headers; additionally, restrict admin and editor dashboard access to trusted IP ranges via .htaccess or WAF rules, enforce strong authentication (two-factor authentication), and monitor user activity logs for suspicious content modifications. Implement a strict Content Security Policy (CSP) header to prevent inline script execution, and regularly audit stored content (property listings, descriptions) for injected scripts.

Share

CVE-2026-31918 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy