High severity7.1NVD Advisory· Published May 27, 2026

CVE-2026-42729

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Property Hive PropertyHive propertyhive allows DOM-Based XSS.This issue affects PropertyHive: from n/a through <= 2.2.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

DOM-based XSS vulnerability in PropertyHive plugin for WordPress up to 2.2.2 allows attackers to inject malicious scripts via crafted input, requiring user interaction.

Vulnerability

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the PropertyHive plugin for WordPress, affecting versions from n/a through 2.2.2. The plugin fails to properly neutralize user input during web page generation, allowing attackers to inject arbitrary JavaScript that executes in the victim's browser context [1].

Exploitation

To exploit this vulnerability, an attacker must trick a privileged user (e.g., an administrator) into performing an action such as clicking a malicious link, visiting a crafted page, or submitting a form. No prior authentication is required, but successful exploitation depends on user interaction [1].

Impact

Successful exploitation allows an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, which execute when visitors access the affected site. This could lead to information disclosure, session hijacking, or defacement [1].

Mitigation

The vulnerability is fixed in version 2.2.3 of the PropertyHive plugin. Users should update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the patch is applied [1].

References

Cross Site Scripting (XSS) in WordPress PropertyHive Plugin

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Propertyhiveinferred2 versions
<=2.2.2+ 1 more
- (no CPE)range: <=2.2.2
- (no CPE)range: <=2.2.2
Package: https://wordpress.org/plugins/propertyhive

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

patchstack.com/database/Wordpress/Plugin/propertyhive/vulnerability/wordpress-propertyhive-plugin-2-2-2-cross-site-scripting-xss-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.461
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000