The vulnerability is an Improper Neutralization of Input During Web Page Generation flaw (CWE-79) that allows attackers to inject arbitrary script into web pages rendered by the RadiusTheme Classified Listing plugin. This reflected XSS can lead to session hijacking, manipulation of page content, or delivery of malicious payloads to site visitors, compromising the confidentiality and integrity of user sessions. The attack does not require authentication and affects any user who can access the vulnerable plugin’s functionality.

RadiusTheme Classified Listing plugin, versions from the unknown minimum through version 4.0.1. All installations running 4.0.1 or earlier are susceptible. No information is available for versions after 4.0.1, and no specific operating system or platform constraints are noted.

The CVSS score of 7.1 indicates a high severity with moderate exploitation complexity. The EPSS score of less than 1% suggests that, at the time of analysis, exploitation is unlikely but still plausible. The vulnerability is not listed in CISA KEV, implying there have been no confirmed exploits in the wild. The attack vector is inferred to be remote and network-based, through a web request containing malicious query parameters or form input that is reflected in the plugin’s output.