CVE-2019-25742

Vulnerability

WordPress Theme Zoner Real Estate versions up to and including 4.1.1 contain a persistent cross-site scripting (XSS) vulnerability. This flaw resides in the Address input field used when creating properties. The vulnerability allows authenticated agents to inject malicious scripts that are stored persistently within the application.

Exploitation

An attacker with agent-level authentication can inject JavaScript payloads into the Address field when creating or editing a property. These scripts are designed to execute when an administrator views the property for approval. No other user interaction is required beyond the initial injection by the authenticated agent.

Impact

Successful exploitation of this vulnerability allows an attacker to achieve cookie theft and session hijacking. When an administrator views the compromised property, the injected JavaScript executes in their browser context, potentially allowing the attacker to impersonate the administrator or gain unauthorized access to their account.

Mitigation

There is no specific patched version or release date disclosed in the available references. Users are advised to check for updates from the theme developer. As of the available information, no workarounds or specific mitigation steps beyond updating the theme when a patch becomes available have been published. The theme is listed as affecting versions <= 4.1.1 [1].