Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network reflected XSS requiring victim click (UI:R) with cross-context execution (S:C) and limited browser-side confidentiality/integrity/availability impact, matching the disclosed vector.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Property Hive PropertyHive propertyhive allows Reflected XSS.This issue affects PropertyHive: from n/a through <= 2.2.3.
AnalysisAI
Reflected cross-site scripting in the PropertyHive WordPress real-estate plugin (all versions up to and including 2.2.3) lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser when they click a crafted link. No public exploit has been identified at time of analysis and the flaw is not on CISA KEV; EPSS data was not provided. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to click or load an attacker-crafted link containing the XSS payload (UI:R), and the target site must be running PropertyHive at version 2.2.3 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.1 (High) driven by network vector (AV:N), low complexity (AC:L), no privileges (PR:N) and a changed scope (S:C) reflecting that injected script executes in the victim's browser context rather than the vulnerable server. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to a PropertyHive-powered page with a malicious payload in a reflected parameter and delivers it to a victim (e.g., a site administrator) via email or a forum link. When the victim clicks, their browser executes the attacker's JavaScript in the site's context, allowing session cookie theft or actions performed as the victim. … |
| Remediation | No vendor-released patch version was identified in the provided data; the advisory only records affected versions through 2.2.3, so administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/propertyhive/vulnerability/wordpress-propertyhive-plugin-2-2-3-cross-site-scripting-xss-vulnerability?_s_id=cve) and the WordPress plugin repository for a release later than 2.2.3 and upgrade as soon as one is confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: audit all WordPress instances for PropertyHive plugin versions ≤2.2.3 and document affected sites; notify site administrators of the risk and the need to avoid clicking suspicious links. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Propertyhive
View allThe Property Hive WordPress plugin before 2.1.1 does not sanitise and escape a parameter before outputting it back in th
Deserialization of Untrusted Data vulnerability in PropertyHive.0.5. Rated high severity (CVSS 8.7), this vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PropertyHive allow
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PropertyHive allow
The PropertyHive plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including,
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
The PropertyHive plugin before 1.4.15 for WordPress has XSS via the body parameter to includes/admin/views/html-preview-
Deserialization of Untrusted Data vulnerability in PropertyHive.0.9. Rated medium severity (CVSS 5.4), this vulnerabilit
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PropertyHiv
The PropertyHive plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on th
Missing Authorization vulnerability in PropertyHive.0.6. Rated medium severity (CVSS 4.3), this vulnerability is remotel
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43455