Real Estate 7
Monthly
Reflected/stored Cross-Site Scripting in the Real Estate 7 WordPress theme (contempoinc) versions 3.5.9 and earlier lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. The scope-changing flaw (CVSS 3.1 7.1) can hijack sessions or perform actions in the victim's authenticated context, including administrators. Reported by Patchstack; no public exploit code has been identified and it is not on the CISA KEV list.
The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The WP Pro Real Estate 7 WordPress theme before 3.1.1 did not properly sanitise the ct_community parameter in its search listing page before outputting it back in it, leading to a reflected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Reflected/stored Cross-Site Scripting in the Real Estate 7 WordPress theme (contempoinc) versions 3.5.9 and earlier lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. The scope-changing flaw (CVSS 3.1 7.1) can hijack sessions or perform actions in the victim's authenticated context, including administrators. Reported by Patchstack; no public exploit code has been identified and it is not on the CISA KEV list.
The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The WP Pro Real Estate 7 WordPress theme before 3.1.1 did not properly sanitise the ct_community parameter in its search listing page before outputting it back in it, leading to a reflected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.