Skip to main content

PHP EUVD-2015-9411

| CVE-2015-20115 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-15 VulnCheck
PHP XSS Realtyscript
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 15, 2026 - 19:00 euvd
EUVD-2015-9411
Analysis Generated
Mar 15, 2026 - 19:00 vuln.today
CVE Published
Mar 15, 2026 - 18:34 nvd
HIGH 7.2

DescriptionCVE.org

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize file uploads, allowing attackers to store malicious scripts through the file POST parameter in admin/tools.php. Attackers can upload files containing JavaScript code that executes in the context of admin/tools.php when accessed by other users.

AnalysisAI

Stored cross-site scripting (XSS) vulnerability in Next Click Ventures RealtyScript 4.0.2 that allows attackers to upload malicious JavaScript files through unsanitized file uploads in admin/tools.php. With a publicly available proof-of-concept exploit and a CVSS score of 7.2, attackers can execute JavaScript in the context of other users' browsers without authentication, though the vulnerability is not listed in CISA KEV and has no EPSS score indicating limited real-world exploitation.

Technical ContextAI

The vulnerability affects RealtyScript (CPE: cpe:2.3:a:next_click_ventures:realtyscript:*:*:*:*:*:*:*:*), a PHP-based real estate management system. The root cause is improper input validation (CWE-79) in the file upload functionality of admin/tools.php, where the 'file' POST parameter fails to sanitize uploaded content. This allows attackers to upload files containing JavaScript code that executes when other users access the uploaded files through the application, resulting in stored/persistent XSS rather than reflected XSS.

RemediationAI

No official patch information is available in the provided references. The vendor advisory links point to third-party security research (zeroscience.mk and vulncheck.com) rather than official vendor communications. Recommended mitigations include: 1) Implement strict file upload validation and sanitization in admin/tools.php, 2) Restrict file upload permissions to trusted administrators only, 3) Implement Content Security Policy (CSP) headers to mitigate XSS impact, 4) Consider upgrading to a newer version if available or switching to an actively maintained alternative given the software's age.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2015-9411 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy