CVE-2019-25742: WordPress Theme Zoner Real Estate 4.1.1 Persistent XSS
WordPress Theme Zoner Real Estate 4.1.1 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through the Address input field when creating properties. Attackers can inject JavaScript payloads in the property creation form that execute when administrators view the property for approval, enabling cookie theft and session hijacking.
Security readout for executives and security teams
Plain-English summary
CVE-2019-25742 is a stored XSS issue in the Zoner Real Estate WordPress theme 4.1.1. An authenticated agent can place malicious script content in a property Address field. The script may run when an administrator reviews the property, creating risk of account compromise or session theft.
Executive priority
Prioritize remediation for public real-estate sites with multiple agent accounts or frequent listing submissions. The issue is not critical, but administrator compromise can affect site integrity and trust.
Technical view
The issue is CWE-79 stored cross-site scripting in Fruitfulcode Zoner Real Estate 4.1.1. The provided CVSS is 5.4: network reachable, low complexity, low privileges, administrator interaction required, changed scope, and limited confidentiality and integrity impact. The source bundle does not identify a fixed version.
Likely exposure
Exposure is limited to WordPress sites running the Zoner Real Estate theme version 4.1.1, especially where agent accounts can create properties pending administrator approval.
Exploitation context
A public ExploitDB reference exists, but the bundle does not state active exploitation and KEV is false. Treat this as publicly documented and reproducible risk, not confirmed in-the-wild exploitation.
Researcher notes
Evidence supports authenticated stored XSS through the Address field during property creation, triggered by administrator review. Sources do not provide patch status, affected CPEs, or active exploitation confirmation, so validation should focus on exact theme version and role exposure.
Mitigation direction
Identify WordPress sites using Zoner Real Estate theme version 4.1.1.
Check Fruitfulcode or ThemeForest for vendor guidance and fixed releases.
Restrict property creation privileges to trusted agent accounts.
Review pending properties before administrator interaction where feasible.
Replace or disable the theme if no supported fix is available.
Validation and detection
Inventory installed WordPress themes and confirm exact Zoner Real Estate version.
Review agent accounts that can create or edit property listings.
Inspect stored property Address fields for unexpected script or HTML content.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.