Cyber Resilience

CVE-2022-3933

MediumPublic PoC

Published: 12 December 2022

Published
12 December 2022
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0476 89.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3933 is a medium-severity an unspecified weakness vulnerability in G5Theme Essential Real Estate. Its CVSS base score is 5.4 (Medium).

Operationally, ranked in the top 10.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Essential Real Estate WordPress plugin before version 3.9.6 contains a cross-site scripting vulnerability stemming from insufficient sanitization and escaping of certain parameters. The affected component is a plugin used for real-estate listing functionality on WordPress sites, and the flaw received a CVSS 5.4 rating reflecting network attack vector, low complexity, and low-privileged access requirements.

An authenticated user holding an administrator role or lower can supply crafted input that executes arbitrary script in the context of other users' browsers. Successful exploitation allows theft of session tokens, defacement, or redirection to malicious sites while operating within the changed scope noted in the CVSS vector.

The referenced WPScan advisory identifies the vulnerable plugin versions and points to the availability of a fixed release at 3.9.6 or later as the primary mitigation path.

EPSS for this CVE rose from a low baseline to a peak of 0.3014 on 2025-12-11 before receding to the current value of 0.0476, indicating that exploitation interest emerged well after initial disclosure.

EU & UK References

Vulnerability details

The Essential Real Estate WordPress plugin before 3.9.6 does not sanitize and escapes some parameters, which could allow users with a role as low as Admin to perform Cross-Site Scripting attacks.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

g5theme
essential real estate
≤ 3.9.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References