Description
Unauthenticated SQL Injection in ListingPro <= 2.9.10 versions.
Published: 2026-06-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ListingPro WordPress plugin contains an unauthenticated SQL Injection vulnerability in all releases up to and including 2.9.10. By submitting specially crafted input to the plugin’s data handling routines, an attacker can inject arbitrary SQL statements. An attacker who succeeds can read, alter, or delete database contents. The flaw is a classic CWE‑89 injection with a CVSS score of 9.3, indicating a critical level of risk.

Affected Systems

Vendors and products affected are Emraan Cheema’s ListingPro WordPress plugin. All versions of the plugin up through 2.9.10 are vulnerable; any site using these releases is impacted. The specific affected component is the plugin’s input handling code within the WordPress installation.

Risk and Exploitability

The CVSS score of 9.3 places this vulnerability in the critical band, and the EPSS score of less than 1% shows currently low exploitation probability but it does not eliminate the threat. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread, publicly known exploit. The likely attack vector is a web‑based injection via the plugin’s exposed input endpoints; the flaw is unauthenticated, so no credentials are required to execute the attack. If exploited, the attacker could gain full database compromise.

Generated by OpenCVE AI on June 17, 2026 at 20:38 UTC.

Remediation

Vendor Solution

Update the WordPress ListingPro Plugin to the latest available version (at least 2.9.11).


OpenCVE Recommended Actions

  • Upgrade the ListingPro plugin to version 2.9.11 or later from the official WordPress plugin repository.
  • If the plugin is not required for your site’s functionality, deactivate or uninstall it to remove the vulnerable code.
  • Back up the entire WordPress database before applying the update, and verify that backups are intact after updating.

Generated by OpenCVE AI on June 17, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Emraan Cheema
Emraan Cheema listingpro
Wordpress
Wordpress wordpress
Vendors & Products Emraan Cheema
Emraan Cheema listingpro
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in ListingPro <= 2.9.10 versions.
Title WordPress ListingPro plugin <= 2.9.10 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Emraan Cheema Listingpro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:42:59.336Z

Reserved: 2026-04-07T08:24:21.369Z

Link: CVE-2026-39438

cve-icon Vulnrichment

Updated: 2026-06-17T10:42:54.198Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:32Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')