Impact
The vulnerability is an unauthenticated Cross Site Scripting flaw in the RadiusTheme Classified Listing WordPress plugin versions 5.4.2 and earlier. Input supplied by a visitor can be injected into the site’s output as malicious script, allowing an attacker to execute code in a victim’s browser. This can lead to session hijacking, defacement, or the exfiltration of sensitive data, as the flaw falls under CWE‑79.
Affected Systems
WordPress sites that have installed the RadiusTheme Classified Listing plugin version 5.4.2 or any earlier release are affected. The issue is limited to that plugin; other WordPress components are not implicated.
Risk and Exploitability
The CVSS score of 7.1 indicates a high risk to confidentiality, integrity, and availability. Because the flaw is unauthenticated, any visitor can exploit it, making the attack vector likely to be a simple crafted URL or form submission. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, so current exploitation data is limited, but the potential for widespread impact remains high.
OpenCVE Enrichment