Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Listify listify allows Reflected XSS.This issue affects Listify: from n/a through <= 3.2.5.
AnalysisAI
Reflected cross-site scripting (XSS) in Listify WordPress theme versions through 3.2.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs. The vulnerability exists due to improper input sanitization during web page generation, requiring user interaction to trigger. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation or public exploit code has been identified. Moderate CVSS score reflects changed scope (S:C) allowing potential session token theft across origins.
Technical ContextAI
Listify is a commercial WordPress theme by Astoundify designed for directory and listing websites. This reflected XSS vulnerability (CWE-79) arises from improper neutralization of user-supplied input during dynamic HTML generation. Unlike stored XSS, reflected XSS requires the malicious payload to be delivered through a crafted URL or form submission, with the unsanitized input immediately reflected back in the HTTP response. The CVSS vector indicates network-based exploitation (AV:N) with low attack complexity (AC:L), meaning no specialized conditions are required beyond standard WordPress theme installation. The changed scope (S:C) in the CVSS vector indicates the vulnerable component (the Listify theme) can affect resources beyond its security scope, typically through JavaScript execution in the browser context, enabling access to cookies and session data from the broader WordPress installation or parent domain.
Affected ProductsAI
Astoundify Listify WordPress theme versions from earliest release through 3.2.5 are confirmed vulnerable. Listify is a premium commercial WordPress theme used for business directories, job boards, and classified listing websites. The vulnerability affects all installations running version 3.2.5 or earlier regardless of WordPress core version or hosting environment. Patchstack vulnerability database entry serves as the authoritative reference at https://patchstack.com/database/Wordpress/Theme/listify/vulnerability/wordpress-listify-plugin-3-2-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve and was reported by audit@patchstack.com. No CPE identifier is provided in the available data, which is common for premium WordPress themes not distributed through official WordPress.org repositories.
RemediationAI
Upgrade Astoundify Listify theme to version 3.2.6 or later if available, checking the official Astoundify website or ThemeForest marketplace for the latest patched release. Verify the fix version through the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/listify/vulnerability/wordpress-listify-plugin-3-2-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve which may contain specific version guidance. If immediate patching is not feasible, implement compensating controls: deploy a Web Application Firewall (WAF) with XSS detection rules to filter malicious payloads in URL parameters and form inputs, accepting the trade-off of potential false positives blocking legitimate special characters in search queries or listing submissions. Enable Content Security Policy (CSP) headers restricting script execution to same-origin and trusted CDNs, noting this may break third-party integrations like analytics or advertising scripts that require inline JavaScript. Conduct user awareness training warning against clicking untrusted links to the directory site, particularly those with unusual URL parameters, though this provides limited protection against sophisticated social engineering. As a temporary measure, restrict administrative access to the theme customization features and monitor server logs for suspicious URL patterns containing script tags or JavaScript event handlers in query parameters.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today