Next Click Ventures RealtyScript 4.0.2 contains a cross-site request forgery (CWE-352) vulnerability that allows an unauthenticated attacker to submit malicious form data to the /admin/addusers.php and /admin/editadmins.php endpoints. By crafting a request with arbitrary credentials, an attacker can create new user accounts, including administrative accounts with SUPERUSER level privileges, thereby gaining full control over the application. The primary impact is unauthorized privilege escalation and potential compromise of confidentiality, integrity, and availability of the system.

The vulnerability affects the Next Click Ventures RealtyScript product, specifically version 4.0.2. No other versions are mentioned in the available data. The attack does not rely on a particular sub-version or patch level beyond 4.0.2, so systems running this exact release are considered vulnerable.

The CVSS score of 6.9 indicates moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, through a malicious web form or script that submits data directly to the vulnerable endpoints, without the need for pre-existing credentials. Exploitation requires only basic network connectivity and a crafted request, making it relatively simple in principle but still limited by the low exploit probability indicated by EPSS.