Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable unauthenticated XSS (AV:N/AC:L/PR:N) needing victim click (UI:R); script runs in broader WordPress context so S:C with limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Classified Listing <= 5.3.8 versions.
AnalysisAI
Unauthenticated reflected/stored Cross-Site Scripting in the Classified Listing WordPress plugin versions 5.3.8 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and carries CVSS 7.1 due to the scope change affecting the broader WordPress site context, though no public exploit identified at time of analysis. Risk is elevated for sites running the plugin in publicly accessible classified/marketplace deployments where untrusted visitor input is processed.
Technical ContextAI
Classified Listing is a WordPress plugin by author Mamunur Rashid (CPE cpe:2.3:a:mamunur_rashid:classified_listing) that turns a WordPress site into a classifieds/marketplace platform supporting listings, categories, and user submissions. The underlying weakness is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input is rendered into HTML output without adequate encoding or sanitization, letting attacker-supplied markup execute as script in the DOM. Because the plugin accepts data from unauthenticated visitors (a core feature of classifieds platforms), the injection surface is exposed without prior login.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should upgrade Classified Listing to the latest version above 5.3.8 as published on the WordPress.org plugin repository and verify via the Patchstack entry at https://patchstack.com/database/wordpress/plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-5-3-8-cross-site-scripting-xss-vulnerability. Until patched, compensating controls include placing the site behind a WAF with XSS rules (e.g., Patchstack, Wordfence) tuned for Classified Listing endpoints, restricting unauthenticated submission forms via reCAPTCHA or login-required gating (trade-off: reduces classifieds functionality for visitors), and setting a strict Content-Security-Policy header that disallows inline scripts and limits script-src to trusted origins (trade-off: may break themes or plugins relying on inline JavaScript and requires testing). Administrators should also avoid clicking unsolicited links to the affected site while a patch is pending, since exploitation requires user interaction.
More in Classified Listing
View allThe Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in a
The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classifie
The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Req
Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin <= 2.4.5 versions. Rated high s
Cross-site scripting in the Classified Listing WordPress plugin (by RadiusTheme) versions 5.4.2 and earlier lets a remot
The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized a
Broken access control in the Classified Listing WordPress plugin (versions <= 5.4.2) allows subscriber-level authenticat
Broken Access Control in the Classified Listing WordPress plugin (versions ≤ 5.3.8) allows unauthenticated remote attack
Path traversal in the Classified Listing WordPress plugin (versions through 5.3.8) enables authenticated low-privileged
Broken access control in the Classified Listing WordPress plugin (versions ≤ 5.3.9) allows subscriber-level authenticate
The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Info
The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized l
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36823
GHSA-8gjj-f8v8-88pg