An unauthenticated Cross Site Scripting (XSS) vulnerability exists in the Classified Listing WordPress plugin versions up to 5.3.8. Malicious input supplied through the plugin’s web interface can be reflected to unsuspecting users, allowing an attacker to inject arbitrary client‑side scripts into the victim’s browser. These scripts can steal session cookies, deface the site, or redirect users to phishing pages, compromising confidentiality and availability at the browser level. Based on the description, it is inferred that the attacker can supply the malicious input through the plugin’s publicly accessible admin or front‑end forms, though the specific endpoint is not detailed.

The vulnerability affects installations of the Classified Listing plugin by Mamunur Rashid, specifically all released versions up to and including 5.3.8. WordPress sites running these versions are at risk until the plugin is upgraded.

The CVSS score of 7.1 indicates a high impact for a web‑direct vulnerability with no authentication requirement. The EPSS score of less than 1% suggests that, at the time of assessment, the exploit probability is low, and the vulnerability has not been reported in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector involves an unauthenticated user interacting with the plugin’s exposed endpoint; the attacker can deliver the malicious payload by sending crafted data to that endpoint, making exploitation straightforward for anyone with access to the website’s front‑end.