Description
Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter of the all-properties-with-map endpoint to execute arbitrary code in victim browsers and steal session tokens or credentials.
Published: 2026-04-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

Joomla iProperty Real Estate 4.1.1 has a reflected cross‑site scripting flaw that allows attackers to inject malicious JavaScript through the filter_keyword GET parameter of the all‑properties‑with‑map endpoint. When a victim follows a crafted URL, the injected script runs in the victim’s browser, enabling the attacker to steal session cookies, credentials, or perform other client‑side attacks.

Affected Systems

The vulnerability affects Thethinkery’s Joomla iProperty Real Estate plugin, specifically version 4.1.1. No other versions are listed as affected in the available data.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. Exploit probability data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector requires a victim to click a malicious link, making this a user‑interaction‑dependent threat. Successful exploitation can lead to compromise of confidentiality through credential theft or enabling further attacks on the host system.

Generated by OpenCVE AI on April 9, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Joomla iProperty Real Estate extension to the latest version released by Thethinkery.
  • If an update is not available, block or restrict access to the all‑properties‑with‑map endpoint or require authentication to use it.
  • Deploy a web application firewall that identifies and blocks XSS payloads in query strings.
  • Educate users not to click suspicious URLs that may contain malicious scripts.

Generated by OpenCVE AI on April 9, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Thethinkery
Thethinkery joomla Iproperty Real Estate
Vendors & Products Thethinkery
Thethinkery joomla Iproperty Real Estate

Thu, 09 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter of the all-properties-with-map endpoint to execute arbitrary code in victim browsers and steal session tokens or credentials.
Title Joomla iProperty Real Estate 4.1.1 Reflected XSS via filter_keyword
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Thethinkery Joomla Iproperty Real Estate
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-24T01:37:40.456Z

Reserved: 2026-04-09T20:41:56.551Z

Link: CVE-2023-54361

cve-icon Vulnrichment

Updated: 2026-04-10T14:06:24.360Z

cve-icon NVD

Status : Deferred

Published: 2026-04-09T21:16:05.533

Modified: 2026-04-15T15:00:32.790

Link: CVE-2023-54361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:13Z

Weaknesses