Impact
The ListingPro WordPress plugin contains an unauthenticated SQL Injection vulnerability in all releases up to and including 2.9.10. By submitting specially crafted input to the plugin’s data handling routines, an attacker can inject arbitrary SQL statements. An attacker who succeeds can read, alter, or delete database contents. The flaw is a classic CWE‑89 injection with a CVSS score of 9.3, indicating a critical level of risk.
Affected Systems
Vendors and products affected are Emraan Cheema’s ListingPro WordPress plugin. All versions of the plugin up through 2.9.10 are vulnerable; any site using these releases is impacted. The specific affected component is the plugin’s input handling code within the WordPress installation.
Risk and Exploitability
The CVSS score of 9.3 places this vulnerability in the critical band, and the EPSS score of less than 1% shows currently low exploitation probability but it does not eliminate the threat. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread, publicly known exploit. The likely attack vector is a web‑based injection via the plugin’s exposed input endpoints; the flaw is unauthenticated, so no credentials are required to execute the attack. If exploited, the attacker could gain full database compromise.
OpenCVE Enrichment