Next Click Ventures RealtyScript version 4.0.2 is affected by a stored cross‑site scripting flaw in the location_name field of the admin locations interface. The vulnerability allows an attacker to submit a POST request to the locations.php endpoint that stores a malicious JavaScript payload in the database and is later rendered in the browsers of administrators who view the affected location records. This is a classic stored XSS identified by CWE‑79 and permits execution of arbitrary code in the context of the administrative account, potentially leading to session hijacking, defacement, or credential theft. Key detail from the vendor disclosure: the issue exists due to improper validation of the location_name input.

Affected vendor and product: Next Click Ventures RealtyScript, specifically version 4.0.2 as listed in the provided CPE string cpe:2.3:a:nextclickventures:realtyscript:4.0.2:*:*:*:*:*:*:*. The flaw resides in the admin locations interface accessed via the locations.php endpoint.

The CVSS score of 5.1 classifies this flaw as moderate severity. The EPSS score below 1% indicates a low probability of exploitation in the field, and the vulnerability is not cataloged in the CISA KEV list. The likely attack vector is an attacker in possession of administrative credentials who submits a crafted POST request to the protected endpoint; once a legitimate administrator views the stored record, the embedded script executes. Due to the need for authentication and the narrow exposure surface, the overall risk to a well‑protected environment remains moderate, but early remediation is recommended.