This vulnerability stems from an improper neutralization of script‑related HTML tags in the RadiusTheme Classified Listing WordPress plugin. The flaw allows an attacker to inject malicious scripts or code into pages that render plugin content, potentially facilitating defacement, cookie theft, or the execution of arbitrary actions on the site. The primary consequence is a classic cross‑site scripting attack that compromises the integrity and confidentiality of user sessions and site data.

WordPress sites that have installed the RadiusTheme Classified Listing plugin version 5.0.0 or earlier are affected. The issue applies to all iterations from the earliest available version through 5.0.0 inclusive, regardless of the installation scope within the WordPress environment.

The CVSS score of 5.4 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The most likely attack path would involve an unauthenticated or authenticated user submitting crafted input—such as comments, listings, or custom fields—that the plugin does not sanitize before rendering. No specific prerequisites are documented, so the risk remains medium to low depending on the plugin’s exposure to public input.