CVE-2026-1845
Stored XSS in Real Estate Pro WordPress Plugin Admin Settings
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imforza | real_estate_pro | to 1.0.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Real Estate Pro plugin allows authenticated administrators to inject arbitrary scripts that execute when users access affected pages. This stored cross-site scripting (XSS) flaw can lead to unauthorized access or manipulation of user data.
Such unauthorized script execution and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data against unauthorized access and ensuring data integrity.
However, the provided information does not explicitly discuss the direct impact on compliance with these standards.
Can you explain this vulnerability to me?
CVE-2026-1845 is a Stored Cross-Site Scripting (XSS) vulnerability in the Real Estate Pro WordPress plugin, affecting all versions up to and including 1.0.9. It occurs due to insufficient input sanitization and output escaping in the admin settings. This allows authenticated users with administrator-level permissions or higher to inject malicious web scripts into pages. These scripts execute whenever a user accesses the injected page.
The vulnerability specifically affects multi-site WordPress installations and installations where the unfiltered_html capability has been disabled.
How can this vulnerability impact me? :
This vulnerability can allow attackers with administrator-level access to inject malicious scripts that execute in the context of users visiting the affected pages. This can lead to unauthorized actions such as stealing user credentials, hijacking user sessions, or performing actions on behalf of users without their consent.
Since the vulnerability requires high-level permissions to exploit, the risk is somewhat limited to trusted users who have administrator access, but the impact can still be significant in terms of site security and user trust.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to disable the Real Estate Pro plugin, as it has been closed and is currently unavailable for download pending a full review.
Additionally, the developers suggested disabling error reporting as a workaround, although this does not fix the underlying security issues.
Since the vulnerability affects multi-site installations and those with unfiltered_html disabled, reviewing these configurations and limiting administrator-level access may also help reduce risk.