Stored Cross-Site Scripting Vulnerability in Real Estate Pro Plugin for WordPress
CVE-2026-1845

5.5MEDIUM

Key Information:

Vendor: WordPress
Status: Real Estate Pro
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-1845?

The Real Estate Pro plugin for WordPress suffers from a Stored Cross-Site Scripting (XSS) vulnerability caused by inadequate input sanitization and output escaping within its admin settings. This flaw allows authenticated attackers, specifically those with administrator privileges, to inject arbitrary web scripts into pages. When users visit these compromised pages, any injected scripts execute, potentially leading to serious security issues. This vulnerability primarily affects multi-site installations and those setups where unfiltered_html capability is turned off, creating an avenue for attackers to exploit the system.

Affected Version(s)

Real Estate Pro 0 <= 1.0.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/re-pro/

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Feb 3, 2026

Credit

Muhammad Nur Ibnu Hubab

CVE-2026-1845 Data

JSON