Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro listingpro allows Reflected XSS.This issue affects ListingPro: from n/a through < 2.9.10.
Published: 2025-12-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of user input during web page generation in the CridioStudio ListingPro theme. An attacker can inject malicious JavaScript that is reflected back into the page, enabling a classic Reflected XSS attack. This flaw could allow session hijacking, theft of sensitive data, or defacement of the site’s UI. The issue is classified as CWE-79.

Affected Systems

WordPress sites that employ the ListingPro theme from CridioStudio running any version prior to 2.9.10 are affected. The theme failed to escape certain query parameters and output paths, so all users of these older releases are potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity and the CWE-79 classification. The EPSS score of less than 1 percent suggests that actual exploitation is currently uncommon, and the vulnerability is not listed in CISA’s KEV catalog, implying a lower likelihood of targeted attacks. Based on the description of a reflected XSS flaw, a typical exploitation scenario is inferred to require a user to visit a specially crafted URL, so the risk is broadened to any user following such a link. This inference comes from the nature of the flaw and is not directly stated in the CVE data.

Generated by OpenCVE AI on April 29, 2026 at 13:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress ListingPro theme to version 2.9.10 or later, which incorporates the necessary input sanitization fixes.
  • Review the theme’s code to verify that all user‑supplied data is properly escaped before rendering, for example using WordPress escaping functions such as esc_html() or esc_url().
  • Conduct security testing, such as automated XSS scanners or manual review, to confirm that no reflected XSS paths remain.

Generated by OpenCVE AI on April 29, 2026 at 13:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Cridio
Cridio listingpro
Wordpress
Wordpress wordpress
Vendors & Products Cridio
Cridio listingpro
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro listingpro allows Reflected XSS.This issue affects ListingPro: from n/a through < 2.9.10.
Title WordPress ListingPro theme < 2.9.10 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Cridio Listingpro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:32:08.887Z

Reserved: 2025-10-31T11:23:19.708Z

Link: CVE-2025-64376

cve-icon Vulnrichment

Updated: 2025-12-18T19:41:45.368Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:14.640

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64376

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:15:11Z

Weaknesses