CVE-2022-3933
Published: 12 December 2022
Summary
CVE-2022-3933 is a medium-severity an unspecified weakness vulnerability in G5Theme Essential Real Estate. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 10.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Essential Real Estate WordPress plugin before version 3.9.6 contains a cross-site scripting vulnerability stemming from insufficient sanitization and escaping of certain parameters. The affected component is a plugin used for real-estate listing functionality on WordPress sites, and the flaw received a CVSS 5.4 rating reflecting network attack vector, low complexity, and low-privileged access requirements.
An authenticated user holding an administrator role or lower can supply crafted input that executes arbitrary script in the context of other users' browsers. Successful exploitation allows theft of session tokens, defacement, or redirection to malicious sites while operating within the changed scope noted in the CVSS vector.
The referenced WPScan advisory identifies the vulnerable plugin versions and points to the availability of a fixed release at 3.9.6 or later as the primary mitigation path.
EPSS for this CVE rose from a low baseline to a peak of 0.3014 on 2025-12-11 before receding to the current value of 0.0476, indicating that exploitation interest emerged well after initial disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-43267
Vulnerability details
The Essential Real Estate WordPress plugin before 3.9.6 does not sanitize and escapes some parameters, which could allow users with a role as low as Admin to perform Cross-Site Scripting attacks.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.