CVE-2015-20115: RealtyScript 4.0.2 Stored XSS via File Upload in Admin Panel

Stored XSS via Unsanitized File Upload in RealtyScript Admin Panel

CVE-2015-20115 is a stored cross-site scripting (XSS) vulnerability in RealtyScript 4.0.2, a PHP-based real estate listing management application. The flaw resides in the admin file management endpoint and allows an authenticated attacker to persistently inject malicious JavaScript into the application by uploading a crafted file.

The vulnerability was assigned a CVSS v2.0 base score of 7.2 (High) and was disclosed to the NVD on March 16, 2026, despite the underlying version number suggesting the flaw existed in older software.

Vulnerability Details

How the Vulnerability Works

The flaw exists in the file upload handler at admin/tools.php. When a POST request is submitted to this endpoint, the server accepts arbitrary file content via the file parameter without validating the file type, extension, or inspecting file contents for embedded scripts.

An authenticated admin (or an attacker who has compromised admin credentials) can:

1. Upload a file with an embedded JavaScript payload
2. The server stores the file without sanitization
3. When the file or its path is rendered in the admin interface, the browser executes the stored script in the context of the admin session

Attack Flow

Impact Assessment

While the vulnerability requires authentication to exploit, stored XSS in an admin panel represents a significant risk. Attackers who gain even temporary admin access can plant a persistent payload that continues to execute for other admin users visiting the affected page.

Affected Software

RealtyScript is an open-source PHP real estate listing platform used by property management businesses, real estate agencies, and classified listing sites. Version 4.0.2 is the confirmed affected release. There is no vendor-issued patch noted in the NVD entry.

Organizations running any version of RealtyScript 4.0.2 in production — particularly those with the admin panel exposed to the internet — should treat this as a critical remediation priority given the CVSS score and the persistent nature of the XSS.

Remediation

For Operators Running RealtyScript 4.0.2

1. Check for a newer version — review the RealtyScript project repository for any releases that address this CVE
2. Restrict admin panel access — place admin/ behind IP allowlisting or VPN; do not expose it publicly
3. Audit uploaded files — review admin/tools.php upload history for any unexpected file types (.php, .js, .html)
4. Implement Content Security Policy (CSP) — a strict CSP header will mitigate the impact of stored XSS even if the upload flaw remains unpatched
5. Sanitize file inputs — if maintaining a custom deployment, add server-side file type validation and strip HTML/script tags from all user-supplied content before storage

Immediate Short-Term Mitigations

• Disable the file upload functionality in admin/tools.php if not actively used
• Enforce strong admin credentials and enable two-factor authentication to limit unauthorized admin access
• Enable web application firewall (WAF) rules for PHP file upload filtering

Key Takeaways

1. Stored XSS in admin panels is high-severity — the CVSS 7.2 rating reflects that even authenticated file upload flaws carry significant risk when they enable persistent script injection
2. File upload handlers require server-side validation — relying on client-side checks alone is insufficient; MIME type spoofing and extension manipulation are trivial
3. Old software with new CVEs remains dangerous — CVE-2015-20115 was disclosed to NVD in 2026, meaning administrators may have been running vulnerable software for years without knowing it was formally catalogued
4. Restrict admin surfaces — real estate platforms often run by small teams may not have the same security hygiene as enterprise software; admin panel exposure is a systemic risk

Sources

• NVD — CVE-2015-20115
• NIST National Vulnerability Database