The vulnerability is a time‑based blind SQL injection that exists in multiple application parameters of Next Click Ventures RealtyScript 4.0.2. It allows an unauthenticated attacker to embed SQL code that causes the database to delay its response. By measuring these timing differences the attacker can recover database data character by character. This flaw can lead to unauthorized disclosure of sensitive data stored in the database such as user credentials, property listings, and other confidential information. The weakness is identified as CWE‑89.

The affected product is Next Click Ventures RealtyScript version 4.0.2. No other versions are listed as vulnerable. The product is identified by the CPE string cpe:2.3:a:nextclickventures:realtyscript:4.0.2:*:*:*:*:*:*:*.

The CVSS score is 8.8, indicating a high severity that permits non‑authenticated attackers to obtain confidential data. The EPSS score is less than 1 %, implying lower current exploit probability, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote via HTTP requests; an attacker does not need authentication, but must be able to send crafted requests to the application’s vulnerable endpoints. The inability to get authenticated was explicitly stated in the description, making no additional prerequisites.