Skip to main content

PropertyHive CVE-2026-57381

| EUVDEUVD-2026-43455 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network reflected XSS requiring victim click (UI:R) with cross-context execution (S:C) and limited browser-side confidentiality/integrity/availability impact, matching the disclosed vector.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:04 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Property Hive PropertyHive propertyhive allows Reflected XSS.This issue affects PropertyHive: from n/a through <= 2.2.3.

AnalysisAI

Reflected cross-site scripting in the PropertyHive WordPress real-estate plugin (all versions up to and including 2.2.3) lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser when they click a crafted link. No public exploit has been identified at time of analysis and the flaw is not on CISA KEV; EPSS data was not provided. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious URL with XSS payload
Delivery
Deliver link to victim via phishing
Exploit
Victim's browser loads reflected parameter
Execution
Injected JavaScript executes in site context
Impact
Steal session or act as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to click or load an attacker-crafted link containing the XSS payload (UI:R), and the target site must be running PropertyHive at version 2.2.3 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.1 (High) driven by network vector (AV:N), low complexity (AC:L), no privileges (PR:N) and a changed scope (S:C) reflecting that injected script executes in the victim's browser context rather than the vulnerable server. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a PropertyHive-powered page with a malicious payload in a reflected parameter and delivers it to a victim (e.g., a site administrator) via email or a forum link. When the victim clicks, their browser executes the attacker's JavaScript in the site's context, allowing session cookie theft or actions performed as the victim. …
Remediation No vendor-released patch version was identified in the provided data; the advisory only records affected versions through 2.2.3, so administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/propertyhive/vulnerability/wordpress-propertyhive-plugin-2-2-3-cross-site-scripting-xss-vulnerability?_s_id=cve) and the WordPress plugin repository for a release later than 2.2.3 and upgrade as soon as one is confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit all WordPress instances for PropertyHive plugin versions ≤2.2.3 and document affected sites; notify site administrators of the risk and the need to avoid clicking suspicious links. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-12585 MEDIUM POC
6.1 Jan 08

The Property Hive WordPress plugin before 2.1.1 does not sanitise and escape a parameter before outputting it back in th

CVE-2024-23513 HIGH
8.7 Feb 12

Deserialization of Untrusted Data vulnerability in PropertyHive.0.5. Rated high severity (CVSS 8.7), this vulnerability

CVE-2024-29923 HIGH
7.1 Mar 27

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PropertyHive allow

CVE-2024-34381 MEDIUM
6.5 May 06

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PropertyHive allow

CVE-2024-8490 MEDIUM
6.5 Sep 17

The PropertyHive plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including,

CVE-2023-22706 MEDIUM
6.1 May 15

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at

CVE-2023-29172 MEDIUM
6.1 Apr 07

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at

CVE-2018-6465 MEDIUM
6.1 Jan 31

The PropertyHive plugin before 1.4.15 for WordPress has XSS via the body parameter to includes/admin/views/html-preview-

CVE-2024-27985 MEDIUM
5.4 Apr 11

Deserialization of Untrusted Data vulnerability in PropertyHive.0.9. Rated medium severity (CVSS 5.4), this vulnerabilit

CVE-2024-35701 MEDIUM
5.4 Jun 08

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PropertyHiv

CVE-2024-3607 MEDIUM
4.3 May 02

The PropertyHive plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on th

CVE-2024-24718 MEDIUM
4.3 Mar 26

Missing Authorization vulnerability in PropertyHive.0.6. Rated medium severity (CVSS 4.3), this vulnerability is remotel

Share

CVE-2026-57381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy