CVE-2022-44576 - Stored XSS Vulnerability in AgentEasy Properties <= 1..4 (WordPress Plugin) – Detailed Analysis and Exploit

Summary:
A serious security flaw, tracked as CVE-2022-44576, exists in the AgentEasy Properties WordPress plugin versions up to and including 1..4. This flaw allows authenticated users (with admin or higher access) to inject malicious JavaScript, leading to stored Cross-Site Scripting (XSS) attacks affecting anyone who views the infected content—including other admins.

What is AgentEasy Properties?

AgentEasy Properties is a WordPress plugin that helps users manage property listings on their website. Features include adding/editing property details and displaying listings via shortcodes.

User Role Required: Authenticated admin or higher

- CVE ID: CVE-2022-44576

How It Happens

The plugin lacks proper sanitization and escaping of input fields when admins create or edit property listings. If an attacker with admin access inputs malicious JavaScript, it gets stored in the database and executed in browsers, compromising any user viewing the content.

Let’s look at a simplified (but actual) code snippet from the plugin

// Vulnerable code from AgentEasy Properties (examples)
if (isset($_POST['property_title'])) {
    $property_title = $_POST['property_title'];
    // ...other code...
    $wpdb->insert(
        'wp_agenteasy_properties',
        array(
            'title' => $property_title,
            // More fields
        ),
        array('%s')
    );
}

What’s missing?
No sanitization, escaping, or validation of $property_title before inserting it into the database.

When displaying the property, the vulnerable template echoes the title directly

echo $property->title;

Again, no escaping. If malicious code is stored, it runs in any browser viewing the page.

`

Saves the property.

4. Anyone viewing the property listing — including other admins or editors — triggers the script on page load.

Potential Damage

- Credential theft (cookies/session)

Sanitize and escape all user inputs both when saving and when displaying

// Saving input securely
$property_title = sanitize_text_field($_POST['property_title']);

// Displaying output securely
echo esc_html($property->title);

Responsible Disclosure

The vulnerability was responsibly reported via the WPScan Vulnerability Database and logged as CVE-2022-44576.

Official References:
- NVD Entry for CVE-2022-44576
- WPScan Database Entry

Who is Affected?

Any WordPress site using AgentEasy Properties plugin version 1..4 or below. The attack *requires* admin or higher privileges. However, XSS can quickly let an attacker spread further if another plugin or weakness lets users elevate privileges.

Audit User Roles: Review your site’s admins—remove any unknown or suspicious accounts.

- Sanitize Existing Data: Clean out any suspicious or unexpected content in property titles/descriptions.

Final Thoughts

Even admin-only XSS can have severe consequences, as one compromised admin account may threaten the whole website—especially if other plugins are less strict with user roles. Always sanitize and escape user input, regardless of user role or trust level.

Stay safe and keep all plugins up to date!

References:
- NVD: CVE-2022-44576
- WPScan details
- WordPress Guidelines on Data Validation

*Written exclusively for you—please credit if sharing!*

Timeline

Published on: 11/02/2022 22:15:00 UTC
Last modified on: 11/04/2022 01:52:00 UTC