Atomic Edge analysis of CVE-2026-1845 (metadata-based): This vulnerability affects the Real Estate Pro plugin (slug: re-pro) up to version 1.0.9. It allows authenticated attackers with administrator-level permissions to inject stored cross-site scripting (XSS) via the plugin’s admin settings pages. The CVSS score of 5.5 (HIGH, with PR:H) indicates moderate severity because the attacker must already have admin access; however, the stored XSS executes in the context of any user viewing the affected page, including lower-privilege users. The CWE-79 classification points to improper neutralization of user-supplied input when generating web pages.
Root Cause: Based on the CVE description and CWE-79, the vulnerable code likely processes one or more settings fields (e.g., a custom CSS, header/footer scripts, or a text area for plugin branding) without adequate sanitization on input and escaping on output. The description explicitly states the vulnerability occurs “via admin settings” and only affects multi-site installations or installations where unfiltered_html is disabled. This strongly suggests the plugin stores raw or minimally sanitized content in WordPress options or post meta and then displays that content directly without applying esc_attr(), esc_html(), or wp_kses(). Since no code diff is available, Atomic Edge analysis infers that the plugin uses an update_option() or update_post_meta() call that accepts rich text or HTML but fails to call wp_unslash() with sanitize_text_field() or to use wp_kses_post() with a safe allowlist. The multi-site restriction indicates that on standard single-site installs, admin users have the unfiltered_html capability by default, but on multi-site networks, that capability is removed for all but super admins. Thus, the vulnerability only manifests when the attacker lacks unfiltered_html but can still update the setting.
Exploitation: An authenticated attacker with admin-level permissions (or network admin on multi-site) can inject arbitrary JavaScript by navigating to the plugin’s settings page, typically at /wp-admin/admin.php?page=re-pro-settings (or similar). The attacker would modify a setting field that the plugin outputs unfiltered, such as a “Custom Header Scripts” or “Footer Text” field. The payload could be a simple XSS vector like alert(document.cookie) or a more sophisticated payload using event handlers like . After submitting the settings form, the plugin stores the payload. When any user (including site visitors or lower-privilege admin users) loads a front-end page or admin dashboard that includes this saved setting, the script executes in their browser. The attack requires a POST request to the WordPress admin with a nonce and the vulnerable option name because WordPress admin forms rely on referrer and nonce checks for CSRF protection; the attacker must be logged in with sufficient privileges.
Remediation: The fix must sanitize all setting inputs on save and escape all setting outputs on display. The plugin should use sanitize_text_field() for plain text inputs, wp_kses() with an appropriate allowlist for any HTML needed (e.g., script tags should be completely disallowed if not required), and esc_attr() or esc_html() when echoing values in HTML attributes or body content. Specifically, the setting update handler should apply functions like wp_unslash() and sanitize_textarea_field() or wp_kses_post() depending on the field type. Output escaping should use esc_attr() for attributes, esc_html() for text, and wp_kses() for rich HTML content. Additionally, the plugin must respect the unfiltered_html capability for super admins on multi-site, but should never expose raw unfiltered input to the front-end without context-aware escaping.
Impact: Successful exploitation allows stored XSS, which can lead to session hijacking, forced administrative actions (e.g., creating new admin users, modifying plugin settings), and defacement of public-facing pages. Since this only affects authenticated admin users, the direct risk to super admins is lower; however, on a multi-site network, a site admin could use this to compromise other site admins or visitors. The XSS executes in the context of the victim’s session, enabling data theft from the dashboard, injection of malicious redirects, and potential propagation if the admin has elevated network-level permissions. Atomic Edge analysis assesses the practical severity as moderate given the elevated privilege required, but the impact is limited to compromising other administrative users or front-end visitors on multi-site installations.
