Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-3933

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

5.4MEDIUM

EPSS

5.5%

top 9.77%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Unknown Essential Real Estate G5theme Essential Real Estate

Timeline

PublishedDec 12

Description

The Essential Real Estate WordPress plugin before 3.9.6 does not sanitize and escapes some parameters, which could allow users with a role as low as Admin to perform Cross-Site Scripting attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/essential_real_estate< 3.9.6

▶NVDg5theme/essential_real_estate< 3.9.6

🔴Vulnerability Details

CVEList

Essential Real Estate < 3.9.6 - Reflected Cross-Site-Scripting↗2022-12-12

▶

GHSA

GHSA-2rfc-g399-fff5: The Essential Real Estate WordPress plugin before 3↗2022-12-12

▶

💥Exploits & PoCs

Nuclei

WordPress Essential Real Estate <3.9.6 - Authenticated Cross-Site Scripting

▶