{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1845", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-03T18:06:05.697Z", "datePublished": "2026-04-22T07:45:31.431Z", "dateUpdated": "2026-04-22T07:45:31.431Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:31.431Z"}, "affected": [{"vendor": "bhubbard", "product": "Real Estate Pro", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Real Estate Pro <= 1.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting via Settings", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1978fd4f-f130-4e72-85df-24a6f9aebfe2?source=cve"}, {"url": "https://wordpress.org/plugins/re-pro/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-04-21T19:15:26.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2026-1845", "lastModified": "2026-04-22T09:16:20.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:20.650", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/re-pro/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1978fd4f-f130-4e72-85df-24a6f9aebfe2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T09:29:22.210885+00:00", "value": {"mitigation_remediation": ["Update Real\u202fEstate\u202fPro to a patched release (e.g., 1.1 or later)", "Verify that mult\u2011site configurations are securely managed, ensuring that unfiltered_html is disabled for non\u2011trusted content", "If an upgrade is not immediately possible, remove the plugin or replace it with a secure alternative"], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting via admin settings"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of Real\u202fEstate\u202fPro version 1.0.9 or earlier, specifically when WordPress is configured as a multi\u2011site network and the unfiltered_html capability is disabled. The plugin is distributed by the vendor bhubbard.", "description_and_impact": "The Real Estate Pro WordPress plugin allows an authenticated attacker with administrator privileges to inject arbitrary JavaScript into stored settings. When another user visits the affected page, the injected script executes in their browser, potentially compromising their session or defacing the site. This is a classic Stored XSS flaw (CWE\u201179).", "risk_and_exploitability": "With a CVSS score of 5.5 the flaw is moderate but still significant, especially given that it requires only an authenticated admin account. No public exploit is documented and the EPSS score is not available, but the risk remains due to the potential for malicious script injection. The vulnerability is not listed in the CISA KEV catalog, yet its impact on user data and trustworthiness makes patching advisable."}}}}, "created": "2026-04-22T09:30:13.558644+00:00", "updated": "2026-04-22T09:30:13.558655+00:00", "vendors": []}