Description
The Contempo Real Estate Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-04-01
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

Contempo Real Estate Core suffers a stored XSS flaw that allows an authenticated attacker with contributor or higher privileges to inject arbitrary JavaScript via shortcode attributes. The unsanitized input is rendered in page content, meaning any visitor who views the affected page will execute the code in their browser. This can lead to client‑side session hijacking, credential theft, defacement, or further phishing attacks, effectively compromising the confidentiality and integrity of user sessions.

Affected Systems

All WordPress sites that use the Contempo Real Estate Core plugin in versions 3.6.3 or earlier are impacted. The vulnerability is tied to the plugin’s shortcode handling and does not affect the core WordPress engine itself.

Risk and Exploitability

The CVSS score of 6.4 classifies the issue as high severity. The EPSS score of less than 1% indicates that, at the time of analysis, exploitation is relatively unlikely, and the vulnerability is not listed in CISA KEV. Attack requires valid contributor or higher credentials; the attacker must create or modify a shortcode containing malicious JavaScript, which is then stored and executed whenever any user loads the page with that shortcode.

Generated by OpenCVE AI on April 21, 2026 at 21:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Contempo Real Estate Core to the latest version (≥3.6.4) where the shortcode input is properly sanitized and output escaped.
  • If an immediate update is not possible, remove or downgrade contributor accounts to prevent creation of malicious shortcodes and consider disabling shortcode usage through plugin settings if feasible.
  • Apply defensive controls such as a Content Security Policy that blocks inline scripts and a web application firewall rule to detect and block unusual shortcode syntax.

Generated by OpenCVE AI on April 21, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9315 The Contempo Real Estate Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 01 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Contempo Real Estate Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Contempo Real Estate Core <= 3.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Contempoinc Contempo Real Estate Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:48.484Z

Reserved: 2025-03-28T09:36:42.701Z

Link: CVE-2025-2906

cve-icon Vulnrichment

Updated: 2025-04-01T15:14:06.578Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T12:15:15.580

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:45:25Z

Weaknesses