Skip to main content

ListingPro CVE-2026-56046

| EUVDEUVD-2026-39707 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 audit@patchstack.com GHSA-pmwg-h2c7-w359
6.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Network-delivered XSS requires subscriber auth (PR:L) and victim page view (UI:R) with browser scope change; availability impact is not a realistic XSS outcome and is assessed as N.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:20 vuln.today

DescriptionCVE.org

Subscriber Cross Site Scripting (XSS) in ListingPro <= 2.9.11 versions.

AnalysisAI

Stored Cross-Site Scripting in ListingPro WordPress theme versions 2.9.11 and below allows authenticated subscriber-level users to inject malicious JavaScript that executes in the browsers of other users who view the affected page. The CVSS scope change (S:C) confirms the injected payload breaks out of the application's security boundary and runs in the victim's browser context, enabling session hijacking or unauthorized actions on behalf of higher-privileged users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Register subscriber account on target site
Delivery
Submit listing/form field with JavaScript payload
Exploit
Payload stored in WordPress database
Install
Privileged user views affected listing page
C2
Injected script executes in victim browser
Execute
Session cookie or nonce exfiltrated
Impact
Attacker gains elevated session access

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress subscriber account on the target site - the lowest authenticated role, obtainable by self-registration on sites with open enrollment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 6.5 Medium rating reflects a balanced set of signals: network-delivered (AV:N), low complexity (AC:L), but requiring low-privilege authentication (PR:L) and victim interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on an open-registration WordPress directory site running ListingPro 2.9.11 or earlier, then submits a listing or profile field containing a crafted JavaScript payload such as an image tag with an onerror handler. When a site administrator reviews or moderates the submission, the script executes in the administrator's browser, exfiltrating their session cookie or WordPress nonce to an attacker-controlled server, enabling account takeover without further authentication.
Remediation Update the ListingPro WordPress theme to a version released after 2.9.11 as soon as one is available from the vendor; consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/listingpro/vulnerability/wordpress-listingpro-theme-2-9-11-cross-site-scripting-xss-vulnerability for patch availability updates. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56046 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy