Property Hive <= 2.2.2 - Unauthenticated Stored Cross-Site Scripting
Description
The Property Hive plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v2.2.3
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-42729 (Property Hive Stored XSS) ## 1. Vulnerability Summary The **Property Hive** plugin for WordPress (versions <= 2.2.2) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists in the `PH_Admin::check_install_add_on` met…
Show full research plan
Exploitation Research Plan: CVE-2026-42729 (Property Hive Stored XSS)
1. Vulnerability Summary
The Property Hive plugin for WordPress (versions <= 2.2.2) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists in the PH_Admin::check_install_add_on method, which is hooked to admin_init. This method processes user-supplied data from $_GET parameters (ph_add_on_slug and ph_add_on_plugin), decodes them from Base64, and updates a global WordPress option (propertyhive_pre_pro_add_ons) without performing any authentication, authorization (capability), or CSRF (nonce) checks.
The stored data is subsequently rendered in the WordPress administrative dashboard (specifically the "Features" tab of the Property Hive settings), where insufficient output escaping allows injected scripts to execute in the context of an administrator.
2. Attack Vector Analysis
- Entry Point:
admin_inithook. In WordPress,admin_initfires on all administrative pages and, crucially, during calls to/wp-admin/admin-ajax.php, which is accessible to unauthenticated users. - Vulnerable Action:
ph_action=install_add_on. - Payload Parameters:
ph_add_on_slugandph_add_on_plugin. - Authentication: None required (Unauthenticated).
- Preconditions: The plugin must be active.
3. Code Flow
- Entry: An unauthenticated request is made to
/wp-admin/admin-ajax.php?ph_action=install_add_on&ph_add_on_slug=[BASE64]&ph_add_on_plugin=[BASE64]. - Hook: The
admin_inithook triggersPH_Admin::check_install_add_on()inincludes/admin/class-ph-admin.php. - Condition Check: The function checks if
$_GET['ph_action']equals'install_add_on'(Line 184). - Processing:
- It decodes the
ph_add_on_slugandph_add_on_pluginvalues from Base64. - It applies
ph_clean()to the decoded values (Line 200).ph_clean(likely a wrapper forsanitize_text_field) is insufficient for preventing XSS in attribute contexts or if output escaping is missing.
- It decodes the
- Storage: The processed values are appended to an array and stored in the database via
update_option( 'propertyhive_pre_pro_add_ons', ... )(Line 204). - Sink: An administrator navigates to
/wp-admin/admin.php?page=ph-settings&tab=features. The plugin retrieves thepropertyhive_pre_pro_add_onsoption and renders the content. If the rendering logic (likely inincludes/admin/class-ph-admin-settings.php) echoes these values withoutesc_attr()or `esc_
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.