Description
Subscriber Cross Site Scripting (XSS) in ListingPro <= 2.9.11 versions.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic cross‑site scripting flaw that permits a malicious actor to inject arbitrary JavaScript into pages viewed by site subscribers. The injected script runs in the victim’s browser context, enabling session hijacking, credential theft, defacement, or other client‑side attacks. The weakness is classified as CWE‑79, reflecting unsanitized user input rendered as executable code.

Affected Systems

CridioStudio’s ListingPro WordPress theme versions up to and including 2.9.11 are affected. Hosts deploying any of these releases may expose subscribers and site visitors to the XSS vector.

Risk and Exploitability

The CVSS score of 6.5 classifies the flaw as medium severity. EPSS data is unavailable, and it does not appear in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves an attacker submitting malicious script payloads through subscriber‑supplied content fields; the ability to create or modify subscriber data provides the necessary input location. Successful exploitation does not grant remote code execution on the server but can still facilitate client‑side compromise and credential theft.

Generated by OpenCVE AI on June 26, 2026 at 17:48 UTC.

Remediation

Vendor Solution

Update the WordPress ListingPro Theme to the latest available version (at least 2.9.12).

OpenCVE Recommended Actions

  • Update the ListingPro theme to version 2.9.12 or newer to eliminate the flaw.
  • If an immediate update is not possible, sanitize all subscriber‑supplied input fields on server side to strip or encode script tags before rendering.
  • Deploy a web application firewall or enable WordPress’ built‑in content sanitization mechanisms to block potential XSS payloads and monitor for anomalous activity.

Generated by OpenCVE AI on June 26, 2026 at 17:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Subscriber Cross Site Scripting (XSS) in ListingPro <= 2.9.11 versions.
Title WordPress ListingPro theme <= 2.9.11 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:34:08.453Z

Reserved: 2026-06-18T14:37:51.351Z

Link: CVE-2026-56046

cve-icon Vulnrichment

Updated: 2026-06-26T15:34:04.902Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')