EUVD-2025-208863
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3Tags
Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1.
Analysis
A DOM-based cross-site scripting (XSS) vulnerability exists in WPSight WPCasa WordPress plugin versions through 1.4.1, allowing authenticated attackers to inject malicious JavaScript that executes in users' browsers. The vulnerability stems from improper neutralization of user input during web page generation, enabling an attacker with login credentials to craft malicious payloads that execute in the context of other users' sessions. With a CVSS score of 6.5 and network-accessible attack vector requiring only user interaction, this vulnerability poses a moderate risk to WordPress installations using affected WPCasa versions, particularly those managing real estate listings where authenticated users have content creation privileges.
Technical Context
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic DOM-based XSS flaw where user-controlled input is directly reflected into the DOM without proper sanitization or encoding. The WPCasa plugin (identified via CPE cpe:2.3:a:wpsight:wpcasa:*:*:*:*:*:*:*:*) is a WordPress real estate listing and property management plugin that processes user input during page generation. DOM-based XSS differs from reflected/stored XSS in that the vulnerability exists in client-side JavaScript code that processes URL parameters or form inputs without escaping, allowing attackers to inject arbitrary JavaScript that executes in the victim's browser. The attack occurs when the application takes untrusted input and uses it to dynamically generate page content via DOM manipulation without first validating or encoding the data against XSS payloads.
Affected Products
WPSight WPCasa plugin versions from an unspecified baseline through version 1.4.1 are affected, as confirmed by the CPE identifier cpe:2.3:a:wpsight:wpcasa:*:*:*:*:*:*:*:*. The vulnerability impacts all installations of WPCasa 1.4.1 and earlier. According to the Patchstack database, detailed information including patch availability and advisory details is available at https://patchstack.com/database/wordpress/plugin/wpcasa/vulnerability/wordpress-wpcasa-plugin-1-4-1-cross-site-scripting-xss-vulnerability.
Remediation
Upgrade WPCasa to a patched version released after 1.4.1 immediately, checking the official WPSight repository and Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wpcasa/vulnerability/wordpress-wpcasa-plugin-1-4-1-cross-site-scripting-xss-vulnerability) for the minimum patched version number. Until an upgrade is feasible, implement the following defenses: (1) restrict WPCasa administrative and content-creation capabilities to trusted users only, (2) use a Web Application Firewall (WAF) configured to block DOM-XSS patterns in URL parameters and form inputs targeting WPCasa endpoints, (3) enforce Content Security Policy (CSP) headers to restrict inline script execution and limit script sources, and (4) conduct a security audit of user permissions to identify and remove unnecessary authenticated access. Additionally, monitor user activity logs for suspicious parameter injection attempts in WPCasa property listing and form submission handlers.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today