CVE-2021-38323 is a Reflected Cross-Site Scripting (XSS) vulnerability identified in the RentPress WordPress plugin, specifically affecting versions up to and including 6.6.4. The vulnerability arises from improper sanitization of the 'selections' parameter in the ~/src/rentPress/AjaxRequests.php file. This flaw allows an attacker to inject arbitrary malicious scripts into web pages viewed by other users. When a victim accesses a crafted URL containing the malicious payload in the 'selections' parameter, the injected script executes in the context of the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS. The CVSS v3.1 base score is 6.1 (medium severity), with the vector indicating that the attack can be launched remotely (AV:N) without privileges (PR:N), requires user interaction (UI:R), and impacts confidentiality and integrity with a scope change (S:C). No known exploits are reported in the wild, but the vulnerability remains a risk for unpatched systems. The plugin is commonly used by property rental websites built on WordPress, which may have diverse user bases and handle sensitive user data.

For European organizations using the RentPress plugin on their WordPress sites, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized disclosure of user information, including personally identifiable information (PII) or session tokens, potentially violating GDPR requirements. Attackers could also manipulate site content or redirect users to phishing or malware sites, damaging brand reputation and trust. Since the vulnerability requires user interaction, the impact depends on the ability to lure users into clicking malicious links. However, the scope change in the CVSS vector indicates that the attack could affect resources beyond the vulnerable component, potentially impacting other parts of the web application. Organizations in sectors such as real estate, property management, and housing services in Europe could be targeted, especially those with high web traffic or sensitive client data. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits over time.

European organizations should prioritize updating the RentPress plugin to a version beyond 6.6.4 where this vulnerability is patched. If an update is not immediately available, implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'selections' parameter. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters processed via AJAX requests. Educate users and administrators about phishing risks to reduce the likelihood of successful social engineering attacks exploiting this vulnerability. Regularly audit WordPress plugins for vulnerabilities and maintain an inventory to ensure timely patching. Additionally, monitor web server logs for suspicious requests containing unusual script tags or encoded payloads targeting the vulnerable parameter.