Skip to main content

Real Estate 7 CVE-2026-57343

| EUVDEUVD-2026-41343 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-v47f-fhqp-6ffw
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network XSS (PR:N, AV:N) needing victim click (UI:R); injected script crosses into the browser context (S:C) with limited C/I/A impact typical of XSS.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:12 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Real Estate 7 <= 3.5.9 versions.

AnalysisAI

Reflected/stored Cross-Site Scripting in the Real Estate 7 WordPress theme (contempoinc) versions 3.5.9 and earlier lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. The scope-changing flaw (CVSS 3.1 7.1) can hijack sessions or perform actions in the victim's authenticated context, including administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL with malicious script in theme parameter
Delivery
Deliver link to victim via email or listing
Exploit
Victim visits Real Estate 7 page
Execution
Payload reflected and executed in browser
Impact
Steal session/token or act as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires no authentication (PR:N) but does require victim user interaction (UI:R) - a target must click an attacker-crafted link or visit a page carrying the malicious payload - and the site must run Real Estate 7 theme version 3.5.9 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, base 7.1 High) shows a network-reachable, low-complexity flaw requiring no privileges but requiring user interaction, with a scope change (S:C) reflecting that injected script executes in the browser context beyond the vulnerable component - the hallmark of XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL pointing at a Real Estate 7 site with a malicious script embedded in a reflected parameter and distributes it via email or a listing link. When a logged-in site administrator or visitor clicks the link, the script executes in their browser under the site's origin, allowing session cookie theft, CSRF-token exfiltration, or actions performed as that user. …
Remediation No vendor-released patch version is identified in the provided data, so upgrade to the vendor's latest patched release of Real Estate 7 above 3.5.9 as soon as ContempoInc publishes it, and monitor the Patchstack advisory (https://patchstack.com/database/wordpress/theme/realestate-7/vulnerability/wordpress-real-estate-7-theme-3-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve) for the exact fix version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct asset inventory to identify all sites using Real Estate 7 theme version 3.5.9 or earlier; flag critical or customer-facing properties for immediate triage. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57343 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy