CVE-2026-1931 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Rent Fetch plugin for WordPress, maintained by jonschr. The vulnerability exists due to improper neutralization of user input during web page generation, specifically via the 'keyword' parameter. All versions up to and including 0.32.4 fail to adequately sanitize and escape this parameter, allowing unauthenticated attackers to inject arbitrary JavaScript code that is stored persistently and executed in the context of any user who accesses the affected pages. This stored XSS can be exploited remotely without authentication or user interaction, increasing its risk profile. The CVSS v3.1 score of 7.2 reflects high severity, with an attack vector of network, low attack complexity, no privileges required, no user interaction, and a scope change indicating the vulnerability affects components beyond the initially vulnerable plugin. The impact includes partial confidentiality and integrity loss, such as theft of session cookies, defacement, or manipulation of displayed content. No patches are currently linked, and no known exploits are reported in the wild, but the public disclosure means attackers could develop exploits rapidly. The vulnerability is categorized under CWE-79, a common and dangerous web application security flaw. Organizations using Rent Fetch on WordPress should be aware of this risk and prepare to apply fixes or mitigations promptly.

For European organizations, this vulnerability poses significant risks, especially for those operating websites related to real estate or rental services using the Rent Fetch plugin. Exploitation can lead to session hijacking, enabling attackers to impersonate legitimate users, steal sensitive data, or perform unauthorized actions. It can also facilitate phishing attacks by injecting malicious scripts that alter page content or redirect users to fraudulent sites. The integrity of website content can be compromised, damaging brand reputation and user trust. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale, potentially affecting a large user base. The scope change in the CVSS vector suggests that the impact may extend beyond the plugin itself, possibly affecting other components or user sessions. Given the widespread use of WordPress in Europe and the importance of digital presence in the real estate market, the threat could disrupt business operations and lead to regulatory compliance issues under GDPR if personal data is compromised.

1. Monitor the vendor's official channels for an official patch and apply it immediately upon release. 2. In the absence of a patch, implement Web Application Firewalls (WAFs) with rules specifically targeting XSS payloads, focusing on the 'keyword' parameter in HTTP requests to the Rent Fetch plugin endpoints. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 4. Conduct code reviews and, if feasible, apply temporary input validation and output encoding on the 'keyword' parameter within the plugin's codebase to neutralize malicious input. 5. Educate site administrators and users about the risks of XSS and encourage vigilance for suspicious site behavior. 6. Regularly audit website logs for unusual requests or payloads targeting the vulnerable parameter. 7. Consider isolating or disabling the Rent Fetch plugin temporarily if immediate patching is not possible and the risk is deemed high. 8. Ensure backup and recovery procedures are in place to restore affected sites quickly if exploitation occurs.