Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Property Hive PropertyHive propertyhive allows DOM-Based XSS.This issue affects PropertyHive: from n/a through <= 2.2.2.
Published: 2026-05-27
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a DOM‑Based XSS flaw caused by improper neutralization of user input during web page generation. Because the PropertyHive plugin fails to escape content that is incorporated into the DOM, an attacker can inject malicious scripts that execute in the victim’s browser. This flaw permits session hijacking, theft of credentials, or other actions that compromise the confidentiality and integrity of the affected website, potentially affecting all authenticated users.

Affected Systems

The flaw exists in Property Hive’s PropertyHive plugin for WordPress versions through 2.2.2. Any installation of the plugin on a WordPress site that has not upgraded beyond 2.2.2 is affected. The issue was identified as affecting all releases from unknown earliest to 2.2.2.

Risk and Exploitability

The CVSS score of 7.1 classifies the issue as high severity. EPSS is not available, so the likelihood of exploitation is uncertain, but the lack of a KEV listing suggests no current widespread exploitation. The attack surface is the web interface, where an attacker can craft input to a vulnerable field or URL parameter that ends up unescaped in the DOM. If successful, the attacker can execute arbitrary JavaScript in the context of the logged‑in user.

Generated by OpenCVE AI on May 27, 2026 at 11:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website for an update that addresses this vulnerability and apply any released fix if available
  • If an upgrade is not immediately possible, disable or remove the vulnerable plugin to eliminate the attack surface
  • Implement proper input validation and output encoding in any custom code that passes user data to the browser
  • Consider deploying a Content Security Policy to reduce the impact of potential script injection

Generated by OpenCVE AI on May 27, 2026 at 11:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Propertyhive
Propertyhive propertyhive
Wordpress
Wordpress wordpress
Vendors & Products Propertyhive
Propertyhive propertyhive
Wordpress
Wordpress wordpress

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Property Hive PropertyHive propertyhive allows DOM-Based XSS.This issue affects PropertyHive: from n/a through <= 2.2.2.
Title WordPress PropertyHive plugin <= 2.2.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Propertyhive Propertyhive
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:54:18.249Z

Reserved: 2026-04-29T09:05:25.569Z

Link: CVE-2026-42729

cve-icon Vulnrichment

Updated: 2026-05-27T10:54:13.577Z

cve-icon NVD

Status : Received

Published: 2026-05-27T11:16:19.297

Modified: 2026-05-27T11:16:19.297

Link: CVE-2026-42729

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T12:00:32Z

Weaknesses