Skip to main content

Listify CVE-2026-28042

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-05 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 23, 2026 - 01:03 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 06:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Listify listify allows Reflected XSS.This issue affects Listify: from n/a through <= 3.2.5.

AnalysisAI

Reflected cross-site scripting (XSS) in Listify WordPress theme versions through 3.2.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs. The vulnerability exists due to improper input sanitization during web page generation, requiring user interaction to trigger. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation or public exploit code has been identified. Moderate CVSS score reflects changed scope (S:C) allowing potential session token theft across origins.

Technical ContextAI

Listify is a commercial WordPress theme by Astoundify designed for directory and listing websites. This reflected XSS vulnerability (CWE-79) arises from improper neutralization of user-supplied input during dynamic HTML generation. Unlike stored XSS, reflected XSS requires the malicious payload to be delivered through a crafted URL or form submission, with the unsanitized input immediately reflected back in the HTTP response. The CVSS vector indicates network-based exploitation (AV:N) with low attack complexity (AC:L), meaning no specialized conditions are required beyond standard WordPress theme installation. The changed scope (S:C) in the CVSS vector indicates the vulnerable component (the Listify theme) can affect resources beyond its security scope, typically through JavaScript execution in the browser context, enabling access to cookies and session data from the broader WordPress installation or parent domain.

Affected ProductsAI

Astoundify Listify WordPress theme versions from earliest release through 3.2.5 are confirmed vulnerable. Listify is a premium commercial WordPress theme used for business directories, job boards, and classified listing websites. The vulnerability affects all installations running version 3.2.5 or earlier regardless of WordPress core version or hosting environment. Patchstack vulnerability database entry serves as the authoritative reference at https://patchstack.com/database/Wordpress/Theme/listify/vulnerability/wordpress-listify-plugin-3-2-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve and was reported by audit@patchstack.com. No CPE identifier is provided in the available data, which is common for premium WordPress themes not distributed through official WordPress.org repositories.

RemediationAI

Upgrade Astoundify Listify theme to version 3.2.6 or later if available, checking the official Astoundify website or ThemeForest marketplace for the latest patched release. Verify the fix version through the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/listify/vulnerability/wordpress-listify-plugin-3-2-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve which may contain specific version guidance. If immediate patching is not feasible, implement compensating controls: deploy a Web Application Firewall (WAF) with XSS detection rules to filter malicious payloads in URL parameters and form inputs, accepting the trade-off of potential false positives blocking legitimate special characters in search queries or listing submissions. Enable Content Security Policy (CSP) headers restricting script execution to same-origin and trusted CDNs, noting this may break third-party integrations like analytics or advertising scripts that require inline JavaScript. Conduct user awareness training warning against clicking untrusted links to the directory site, particularly those with unusual URL parameters, though this provides limited protection against sophisticated social engineering. As a temporary measure, restrict administrative access to the theme customization features and monitor server logs for suspicious URL patterns containing script tags or JavaScript event handlers in query parameters.

Share

CVE-2026-28042 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy