The ListingHub plugin contains a reflected cross‑site scripting flaw where user supplied data is not properly sanitized before being output in a web page. This weakness, identified as CWE‑79, allows an attacker to inject arbitrary JavaScript that runs in the browser of any visitor to the vulnerable page. The injected script can steal session cookies, manipulate the DOM, deface the site, or redirect users to malicious destinations. The impact is limited to compromised user interactions but can lead to credential compromise or further exploitation if privileged access is obtained.

The vulnerability affects the WordPress ListingHub plugin released by e‑plugins, specifically versions from any released build up through 1.2.6. WordPress sites that have this plugin installed and are running a version of the plugin not newer than 1.2.6 are at risk.

The CVSS score of 7.1 classifies the vulnerability as high severity. The EPSS score is < 1 %, indicating a very low probability of exploitation at this time, and the issue is not currently listed in the CISA KEV catalog. The attack vector is web‑based; a remote attacker could craft a malicious URL or input that is reflected back into the page and executed in the victim’s browser. Because the vulnerability is reflected, exploitation requires a victim to visit the manipulated link or interact with the affected input field, but it does not require additional privileges on the host.