Impact
Unauthenticated Cross‑Site Scripting (XSS) exists in the Automotive Listings plugin for WordPress versions up to and including 18.6. The vulnerability allows an attacker to embed malicious JavaScript into responses sent to victims, potentially leading to theft of session cookies, defacement of the site, or execution of further attacks in the context of the user. The flaw is a classic reflected XSS flaw, mapped to CWE‑79, and requires no special privileges or authentication to exploit.
Affected Systems
The affected product is the Automotive Listings plugin developed by Themesuite, used within WordPress installations. All releases up to and including 18.6 are vulnerable; newer releases are not impacted.
Risk and Exploitability
The vulnerability scores 7.1 on the CVSS scale, indicating high impact and widespread availability. The EPSS score is not reported, but the lack of authentication and the common use of the plugin make exploitation feasible with minimal effort. The vulnerability is not listed in moderate‑to‑high severity means administrators should address it promptly.
OpenCVE Enrichment