The vulnerability is an Improper Neutralization of Input During Web Page Generation that allows stored cross‑site scripting. When untrusted data is accepted by the IMPress for IDX Broker plugin and later rendered in a web page, an attacker can inject JavaScript that runs in the browsers of any user who views the affected content, enabling script execution, cookie theft, defacement, or further social engineering. The stored nature of the flaw means the malicious content persists until the data is removed or the plugin is patched. The impact therefore is a breach of confidentiality and integrity of user sessions and potential for malicious activity on the site. The likely attack vector is through the plugin’s data entry interface that accepts user input and stores it in the database.

IDX Broker’s IMPress for IDX Broker plugin versions through 3.2.3 are impacted. Any site using these versions without the later patch is vulnerable.

The CVSS score of 6.5 indicates a medium severity level. The EPSS score of less than 1% suggests a low likelihood that this vulnerability will be actively exploited in the near term, and it is not listed in the CISA KEV catalog. Exploitation requires the ability to input data into the plugin – typically via an administrative or privileged user interface – and does not rely on additional external factors. Consequently, the overall risk is moderate but can be escalated if the plugin is exposed to untrusted content entry points.