MEDIUM 5.4

CVE-2019-25742: Stored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk

The Zoner Real Estate WordPress theme version 4.1.1 has a stored cross-site scripting (XSS) flaw in its property creation form. Authenticated real estate agents can inject malicious JavaScript into the property's address field, and that script will execute when site administrators review the property for approval. This could allow attackers to steal admin session cookies or hijack their accounts.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

WordPress Theme Zoner Real Estate 4.1.1 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through the Address input field when creating properties. Attackers can inject JavaScript payloads in the property creation form that execute when administrators view the property for approval, enabling cookie theft and session hijacking.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2019-25742 is a persistent XSS vulnerability (CWE-79) in the Zoner Real Estate WordPress theme 4.1.1. The vulnerability exists in the property creation workflow where the Address input field does not properly sanitize or escape user-supplied data before storage in the database. When an authenticated agent submits a property with a JavaScript payload embedded in the Address field, the malicious script persists and executes in the browser context of administrators who access the property approval interface. The CVSS v3.1 base score of 5.4 (MEDIUM) reflects the requirement for authenticated user privileges and user interaction (admin viewing the property), though the impact includes confidentiality and integrity compromise via session hijacking or cookie theft.

Business impact

Real estate businesses using this theme face compromised administrative accounts if agents—or attackers posing as agents—inject XSS payloads. Admin credential theft or session hijacking enables unauthorized changes to listings, property data exfiltration, and potential further lateral movement into the WordPress installation. For multi-site agencies, a single malicious property could affect all site administrators who review pending listings, making this a business continuity and data protection risk.

Affected systems

WordPress installations running the Zoner Real Estate theme version 4.1.1 are affected. Any site relying on this theme for property management is vulnerable if it allows agents to create or edit properties. Impact depends on user role separation—sites with many agents or permissive role configurations face higher risk than those with restricted property submission.

Exploitability

Exploitation requires authentication (agent-level access or higher), limiting the attack surface to internal or invited users with account creation privileges. However, no CISA KEV status is assigned, and exploitation complexity is low once an attacker has valid credentials. Real estate platforms that onboard agents rapidly or have weak authentication controls face higher practical risk. The requirement for admin user interaction (viewing the malicious property) is moderate friction but not a strong barrier in typical property approval workflows.

Remediation

Update the Zoner Real Estate theme to a patched version that properly sanitizes and escapes user input in the Address field and all other form inputs. Verify the fix with the theme vendor's advisory before deploying. As an interim measure, restrict the Address field to plaintext-only input if the theme allows configuration, and implement Web Application Firewall (WAF) rules to block JavaScript patterns in property submission parameters.

Patch guidance

Consult the Zoner Real Estate theme vendor's official advisory for the specific patched version address. Apply updates through the WordPress theme management interface or manually via SFTP if automatic updates are disabled. Test the update in a staging environment first, particularly ensuring property approval workflows function correctly. Verify that all properties created under the vulnerable version are reviewed or sanitized before public display.

Detection guidance

Search your WordPress database (wp_postmeta and wp_posts tables, depending on theme storage) for JavaScript patterns (script tags, event handlers like onclick, onerror) in property address fields and related metadata. Review admin access logs for property approval actions around the time agent accounts were created or showed unusual activity. Monitor for cookie-stealing payloads or suspicious JavaScript in property-related content. Consider WordPress security plugins (e.g., Wordfence, Sucuri) configured to scan post meta for XSS patterns.

Why prioritize this

Although the CVSS score is MEDIUM (5.4), prioritize this vulnerability for patching because it directly enables account compromise of site administrators—the highest-privilege users. Session hijacking of admin accounts is a common precursor to ransomware deployment and data exfiltration. The stored nature of the XSS means the threat persists across sessions and affects all admins who view properties. No KEV status or active zero-day exploitation reduces urgency slightly, but remediation should occur within standard patch windows (30–60 days).

Risk score, explained

The CVSS v3.1 score of 5.4 reflects: (1) Low attack complexity (AV:N, AC:L)—any network-connected agent can exploit; (2) Requirement for authentication (PR:L) and user interaction (UI:R), limiting opportunistic exploitation; (3) Confidentiality and Integrity impact (C:L, I:L) through session theft and account compromise; (4) No Availability impact; (5) Scope Change (S:C) meaning the vulnerability affects resources beyond the vulnerable component (admin sessions). The score appropriately captures a high-value target (admin accounts) with moderate accessibility (requires agent credentials), warranting swift patching despite 'MEDIUM' classification.

Frequently asked questions

Can regular website visitors exploit this vulnerability?

No. The vulnerability requires authentication as a real estate agent (or higher privilege) to create or edit properties. Unauthenticated visitors cannot inject payloads. However, once a malicious property is stored, any administrator who views it is at risk.

Does updating WordPress alone fix this issue?

No. This is a theme-specific flaw, not a WordPress core issue. You must update the Zoner Real Estate theme itself to a patched version. Verify the patched version with the theme vendor before applying.

What should we do with properties created by agents we no longer trust?

Audit and delete or unpublish any properties created by agents around the time the vulnerability was active, particularly those with unusual Address field formatting. Review all property approvals in logs during that period for suspicious admin activity.

How can we detect if an attacker has already exploited this?

Search property address fields in your database for JavaScript syntax (script tags, event handlers). Review WordPress admin session logs and cookie issuance timestamps for unexpected admin login activity. Use WordPress security plugins to scan post meta for XSS payloads.

This analysis is based on publicly available CVE data and does not constitute professional security advice. Patch version numbers and specific remediation steps must be verified against the official Zoner Real Estate theme vendor advisory before deployment. SEC.co does not provide warranties regarding the completeness or accuracy of vendor patches. Organizations should conduct their own threat modeling and testing in staging environments. For active exploitation or breach investigation, engage qualified incident response professionals. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).