CVE-2025-23994 describes a stored cross-site scripting vulnerability in Estatebud – Properties & Listings plugin versions up to 5.5.0. The issue is due to improper neutralization of input during web page generation, which allows attackers to inject and store malicious scripts that execute in the context of users' browsers when viewing affected pages. This can lead to unauthorized actions such as data theft or session hijacking. The vulnerability has a CVSS 3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is remotely exploitable without privileges but requires user interaction, and impacts confidentiality, integrity, and availability with a scope change. No patch or vendor advisory is currently available to confirm remediation status.

Successful exploitation of this stored XSS vulnerability can lead to partial compromise of confidentiality, integrity, and availability of the affected system or user data. Attackers may execute arbitrary scripts in the context of other users, potentially leading to session hijacking, data theft, or other malicious actions. The vulnerability is remotely exploitable without authentication but requires user interaction. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution with untrusted input and consider applying temporary mitigations such as input validation or output encoding if feasible. Monitor vendor channels for updates or patches addressing this vulnerability.