CVE-2025-30955

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:26 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes ListingEasy listingeasy allows Reflected XSS.This issue affects ListingEasy: from n/a through <= 1.9.2.

AnalysisAI

Reflected cross-site scripting (XSS) in GT3themes ListingEasy WordPress theme through version 1.9.2 allows unauthenticated attackers to inject arbitrary JavaScript into web pages viewed by other users. The vulnerability exists in unspecified input handling during page generation, enabling attackers to craft malicious URLs that execute scripts in victims' browsers when clicked. No public exploit code or active exploitation has been confirmed, though the low EPSS score (0.04%) suggests limited real-world attack likelihood despite the high-impact nature of XSS.

Technical ContextAI

ListingEasy is a WordPress theme developed by GT3themes that handles dynamic content rendering for listing pages. The vulnerability stems from improper input neutralization during web page generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). This occurs when user-supplied input (likely through URL parameters or form fields) is reflected back to the browser without proper HTML encoding or sanitization, allowing attackers to break out of the intended context and inject malicious JavaScript code. WordPress themes are loaded server-side and rendered in users' browsers, making XSS particularly dangerous as injected scripts execute with the privileges of the authenticated user viewing the page.

Affected ProductsAI

GT3themes ListingEasy WordPress theme from initial release through version 1.9.2 and earlier. The theme is distributed through the WordPress.org theme repository and third-party theme marketplaces. No specific CPE identifier is provided in available data, though the vulnerability affects all installations of this theme at or below version 1.9.2.

RemediationAI

Site administrators should immediately update the ListingEasy theme to the latest available version beyond 1.9.2, which should include the security fix. Update through the WordPress admin dashboard (Appearance > Themes > ListingEasy > Update) or manually download the patched version from the WordPress.org theme repository or GT3themes official website. Until patching is feasible, implement Web Application Firewall (WAF) rules to filter common XSS payloads in URL parameters, though this is not a complete mitigation. Detailed vulnerability information and patch confirmation can be found in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Theme/listingeasy/vulnerability/wordpress-listingeasy-theme-1-9-2-reflected-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-30955 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy