Skip to main content

PropertyHive CVE-2026-42729

| EUVDEUVD-2026-32180 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 audit@patchstack.com GHSA-xv3p-m7qm-cgmg
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:48 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Property Hive PropertyHive propertyhive allows DOM-Based XSS.This issue affects PropertyHive: from n/a through <= 2.2.2.

AnalysisAI

DOM-based cross-site scripting in the PropertyHive WordPress real-estate plugin (all versions up to and including 2.2.2) lets a remote, unauthenticated attacker inject script that executes in a victim's browser when they interact with a crafted link or page element. Reported through Patchstack's audit program and tracked as EUVD-2026-32180, the flaw carries a CVSS 7.1 rating driven largely by its changed scope, but EPSS rates exploitation probability at just 0.03% (10th percentile). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Technical ContextAI

PropertyHive is a property and estate-agency management plugin for WordPress used to publish listings and search interfaces. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a DOM-based variant: attacker-controlled data reaches a client-side sink (for example JavaScript writing to the DOM via innerHTML, document.write, or unsafe handling of URL/location parameters) without proper output encoding, so the payload is rendered as live markup rather than inert text. Because the injection and execution both occur client-side, the malicious script runs entirely in the victim's browser against the WordPress site's origin. No CPE strings were supplied in the source data, but the affected component is the 'propertyhive' WordPress plugin (vendor: Property Hive) as identified in the Patchstack database entry.

RemediationAI

No vendor-released patched version is independently confirmed in the available data; the advisory only delimits the affected range as up to and including 2.2.2, so administrators should upgrade to the next vendor release above 2.2.2 once it is confirmed via the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/propertyhive/vulnerability/wordpress-propertyhive-plugin-2-2-2-cross-site-scripting-xss-vulnerability) or the WordPress plugin changelog, rather than relying on an unverified version number. Until a confirmed fix is applied, deploy a Web Application Firewall (such as Patchstack virtual patching or a WordPress security plugin) with rules to filter XSS payloads in request parameters reaching PropertyHive pages, accepting that this can cause false positives on legitimate listing data containing special characters. As a compensating control, add a restrictive Content-Security-Policy header that disallows inline script execution to blunt DOM-based payloads, with the trade-off that strict CSP may break legitimate inline scripts and requires testing. If the plugin is not actively used, deactivate and remove it to eliminate the exposure entirely.

Share

CVE-2026-42729 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy