PatchSiren cyber security CVE debrief
CVE-2019-25742 Fruitfulcode CVE debrief
CVE-2019-25742 is a persistent cross-site scripting (XSS) vulnerability in WordPress Theme Zoner Real Estate 4.1.1. The vulnerability allows authenticated agents to inject malicious scripts through the Address input field when creating properties. These scripts execute when administrators view the property for approval, enabling attackers to steal cookies and hijack sessions.
- Vendor
- Fruitfulcode
- Product
- Zoner Real Estate
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-10
Who should care
Administrators and users of WordPress Theme Zoner Real Estate 4.1.1, as well as security teams responsible for monitoring and patching vulnerabilities in WordPress themes.
Technical summary
The vulnerability has a CVSS score of 5.1 and a medium severity rating. It requires an attacker to have low privileges (authenticated agent) and can be exploited through a user interface (UI) interaction.
Defensive priority
Medium
Recommended defensive actions
- Update WordPress Theme Zoner Real Estate to a patched version.
- Restrict access to property creation to trusted users.
- Monitor for suspicious activity related to property creation and approval.
Evidence notes
The CVE record and NVD detail pages provide official information about the vulnerability. Additional sources, including the theme's author and exploit databases, offer further context.
Official resources
CVE-2019-25742 was published on 2019-04-09 and modified on 2019-04-09.