Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in immonex immonex Kickstart immonex-kickstart allows Stored XSS.This issue affects immonex Kickstart: from n/a through <= 1.13.0.
AnalysisAI
A Stored Cross-Site Scripting (XSS) vulnerability exists in immonex Kickstart through version 1.13.0, allowing authenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of other users who view the affected content. An attacker with login credentials can craft malicious input that bypasses input sanitization during web page generation, resulting in arbitrary JavaScript execution with access to session cookies, user data, and the ability to perform actions on behalf of victims. While no KEV or widespread exploitation data is available for this CVE, the vulnerability is exploitable with low attack complexity and requires only user interaction (UI click), making it a moderate-to-high priority for organizations running immonex Kickstart.
Technical ContextAI
The vulnerability stems from improper neutralization of user-supplied input in the immonex Kickstart application, a real estate management and website builder platform. immonex Kickstart is a WordPress plugin and framework (CPE references indicate cpe:2.3:a:immonex:immonex_kickstart) that handles dynamic content generation for property listings and real estate websites. The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-controllable data is directly embedded into HTML output without proper encoding or escaping. The plugin fails to sanitize user input at the point of data insertion into the DOM, allowing attackers to inject script tags or event handlers that execute in the context of other users' sessions. This is particularly dangerous in multi-user real estate platforms where agents and administrators collaborate on property listings.
RemediationAI
Immediately upgrade immonex Kickstart to the latest patched version (1.13.1 or later, pending vendor release confirmation). Check the immonex official security advisory at https://immonex.de or the WordPress plugin repository at https://wordpress.org/plugins/immonex-kickstart/ for the specific patched version number and upgrade instructions. Until patching is feasible, implement input validation and output encoding at the application level by enabling WordPress security plugins such as Wordfence or Sucuri that provide XSS filtering and Content Security Policy (CSP) headers; additionally, restrict admin and editor dashboard access to trusted IP ranges via .htaccess or WAF rules, enforce strong authentication (two-factor authentication), and monitor user activity logs for suspicious content modifications. Implement a strict Content Security Policy (CSP) header to prevent inline script execution, and regularly audit stored content (property listings, descriptions) for injected scripts.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11794