CVE-2026-42729

Property Hive <= 2.2.2 - Unauthenticated Stored Cross-Site Scripting

highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
7.2
CVSS Score
7.2
CVSS Score
high
Severity
2.2.3
Patched in
4d
Time to patch

Description

The Property Hive plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.2.2
PublishedMay 23, 2026
Last updatedMay 26, 2026
Affected pluginpropertyhive

What Changed in the Fix

Changes introduced in v2.2.3

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-42729 (Property Hive Stored XSS) ## 1. Vulnerability Summary The **Property Hive** plugin for WordPress (versions <= 2.2.2) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists in the `PH_Admin::check_install_add_on` met…

Show full research plan

Exploitation Research Plan: CVE-2026-42729 (Property Hive Stored XSS)

1. Vulnerability Summary

The Property Hive plugin for WordPress (versions <= 2.2.2) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists in the PH_Admin::check_install_add_on method, which is hooked to admin_init. This method processes user-supplied data from $_GET parameters (ph_add_on_slug and ph_add_on_plugin), decodes them from Base64, and updates a global WordPress option (propertyhive_pre_pro_add_ons) without performing any authentication, authorization (capability), or CSRF (nonce) checks.

The stored data is subsequently rendered in the WordPress administrative dashboard (specifically the "Features" tab of the Property Hive settings), where insufficient output escaping allows injected scripts to execute in the context of an administrator.

2. Attack Vector Analysis

  • Entry Point: admin_init hook. In WordPress, admin_init fires on all administrative pages and, crucially, during calls to /wp-admin/admin-ajax.php, which is accessible to unauthenticated users.
  • Vulnerable Action: ph_action=install_add_on.
  • Payload Parameters: ph_add_on_slug and ph_add_on_plugin.
  • Authentication: None required (Unauthenticated).
  • Preconditions: The plugin must be active.

3. Code Flow

  1. Entry: An unauthenticated request is made to /wp-admin/admin-ajax.php?ph_action=install_add_on&ph_add_on_slug=[BASE64]&ph_add_on_plugin=[BASE64].
  2. Hook: The admin_init hook triggers PH_Admin::check_install_add_on() in includes/admin/class-ph-admin.php.
  3. Condition Check: The function checks if $_GET['ph_action'] equals 'install_add_on' (Line 184).
  4. Processing:
    • It decodes the ph_add_on_slug and ph_add_on_plugin values from Base64.
    • It applies ph_clean() to the decoded values (Line 200). ph_clean (likely a wrapper for sanitize_text_field) is insufficient for preventing XSS in attribute contexts or if output escaping is missing.
  5. Storage: The processed values are appended to an array and stored in the database via update_option( 'propertyhive_pre_pro_add_ons', ... ) (Line 204).
  6. Sink: An administrator navigates to /wp-admin/admin.php?page=ph-settings&tab=features. The plugin retrieves the propertyhive_pre_pro_add_ons option and renders the content. If the rendering logic (likely in includes/admin/class-ph-admin-settings.php) echoes these values without esc_attr() or `esc_

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.