The Property Hive WordPress plugin before 2.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 14 May 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Wp-property-hive
Wp-property-hive propertyhive
Weaknesses CWE-79
CPEs cpe:2.3:a:wp-property-hive:propertyhive:*:*:*:*:*:wordpress:*:*
Vendors & Products Wp-property-hive
Wp-property-hive propertyhive

Wed, 08 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jan 2025 06:15:00 +0000

Type Values Removed Values Added
Description The Property Hive WordPress plugin before 2.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Title PropertyHive < 2.1.1 - Reflected XSS
References

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2025-01-08T15:38:18.357Z

Reserved: 2024-12-12T18:10:29.684Z

Link: CVE-2024-12585

cve-icon Vulnrichment

Updated: 2025-01-08T15:37:51.849Z

cve-icon NVD

Status : Analyzed

Published: 2025-01-08T06:15:16.160

Modified: 2025-05-14T15:42:36.630

Link: CVE-2024-12585

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.