The ListingPro Reviews theme does not properly neutralize user input that is then rendered into a web page, creating a reflected XSS vulnerability. Attacker‑controlled data entered into certain fields can be echoed back into the site’s HTML, making the browser execute arbitrary JavaScript in the victim’s context. The description indicates the possibility of hijacking user sessions, stealing data, or modifying page content, but these are inferred impacts based on typical XSS consequences and are not explicitly stated in the supplied description.

All versions of the CridioStudio ListingPro Reviews WordPress theme up to, but not including, 2.9.11 are vulnerable. This includes version 1.7 and all earlier releases, as well as every 2.x release prior to 2.9.11.

The CVSS base score of 7.1 signals a high risk level. The EPSS score of less than 1 percent suggests that wild exploitation is unlikely at present, and the vulnerability is not listed in CISA KEV. The flaw is reflected and can be triggered by a web‑based attack vector, such as a crafted URL or form payload that is echoed back to the browser; this inference comes from the term 'Reflected XSS' used in the description and does not explicitly detail the attack vector. Exploitation would require a victim to load the vulnerable page, making it potentially possible against both unauthenticated and authenticated users depending on where the affect user input is processed.