Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows DOM-Based XSS.This issue affects ListingPro Lead Form: from n/a through <= 1.0.7.
Published: 2025-12-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation in CridioStudio ListingPro Lead Form allows an attacker to inject malicious JavaScript that executes in the victim’s browser. The resulting DOM‑Based XSS can enable session hijacking, defacement, or unauthorized access to data stored or displayed by the site.

Affected Systems

ListingPro Lead Form plugin from version 1.0.7 and earlier is affected. The vulnerability applies to all installations of the plugin on WordPress sites where the form receives user‑supplied input and displays it without proper escaping.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity vulnerability. The EPSS score is below 1%, suggesting a low probability of exploitation in the wild, and the issue is not listed in CISA’s KEV catalog. The attack vector most likely involves presenting a crafted URL or form input that the plugin naïvely injects into the page’s DOM, allowing an attacker‑controlled script to run in the context of the site’s origin.

Generated by OpenCVE AI on April 29, 2026 at 19:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest release of ListingPro Lead Form or a version newer than 1.0.7 that includes the XSS fix.
  • If an update is not immediately possible, disable or uninstall the plugin to eliminate the vulnerable entry point until a patch is applied.
  • Implement additional input validation or output encoding on the WordPress site to ensure that any remaining form data is properly sanitized before rendering.

Generated by OpenCVE AI on April 29, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows DOM-Based XSS.This issue affects ListingPro Lead Form: from n/a through <= 1.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows DOM-Based XSS.This issue affects ListingPro Lead Form: from n/a through <= 1.0.7.
Title WordPress ListingPro Lead Form plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability WordPress ListingPro Lead Form plugin <= 1.0.7 - Cross Site Scripting (XSS) vulnerability

Fri, 30 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Cridio
Cridio listingpro Lead Form
Wordpress
Wordpress wordpress
Vendors & Products Cridio
Cridio listingpro Lead Form
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows DOM-Based XSS.This issue affects ListingPro Lead Form: from n/a through <= 1.0.2.
Title WordPress ListingPro Lead Form plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Cridio Listingpro Lead Form
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:09.350Z

Reserved: 2025-10-24T14:26:26.919Z

Link: CVE-2025-63048

cve-icon Vulnrichment

Updated: 2025-12-09T17:08:42.885Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:10.163

Modified: 2026-04-23T15:35:00.430

Link: CVE-2025-63048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:30:18Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')