Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Flexmls Flexmls® IDX allows Reflected XSS.This issue affects Flexmls® IDX: from n/a through 3.15.9.
AnalysisAI
A reflected Cross-Site Scripting (XSS) vulnerability exists in the Flexmls® IDX WordPress plugin through version 3.15.9, allowing attackers to inject malicious scripts into web pages that execute in victims' browsers when they click specially crafted links. The vulnerability has a CVSS score of 7.1 and requires user interaction but can impact confidentiality, integrity, and availability across different origins due to its scope change characteristic. While not currently listed in CISA KEV or showing high EPSS scores, the vulnerability represents a moderate risk for WordPress sites using this real estate listing plugin.
Technical ContextAI
The Flexmls® IDX plugin (CPE: cpe:2.3:a:flexmls:flexmls®_idx:*:*:*:*:*:*:*:*) is a WordPress plugin used for integrating MLS (Multiple Listing Service) real estate data into websites. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-supplied input is not properly sanitized before being reflected back in the HTML response. This allows attackers to inject arbitrary JavaScript or HTML that executes in the context of the vulnerable domain when a victim visits a malicious URL containing the payload.
RemediationAI
Upgrade the Flexmls® IDX WordPress plugin to version 3.15.10 or later, which should contain the security fix for this XSS vulnerability. Until patching is possible, implement Content Security Policy (CSP) headers to restrict inline script execution and consider using a Web Application Firewall (WAF) to filter malicious XSS payloads. Monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/flexmls-idx/vulnerability/wordpress-flexmls-idx-plugin-3-15-9-reflected-cross-site-scripting-xss-vulnerability for updates and ensure WordPress core and all plugins are kept current.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12445