Skip to main content

Flexmls Idx EUVDEUVD-2026-12445

| CVE-2026-25369 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-16 Patchstack
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 16:12 vuln.today
cvss_changed
EUVD ID Assigned
Mar 16, 2026 - 15:00 euvd
EUVD-2026-12445
Analysis Generated
Mar 16, 2026 - 15:00 vuln.today
CVE Published
Mar 16, 2026 - 14:13 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Flexmls Flexmls® IDX allows Reflected XSS.This issue affects Flexmls® IDX: from n/a through 3.15.9.

AnalysisAI

A reflected Cross-Site Scripting (XSS) vulnerability exists in the Flexmls® IDX WordPress plugin through version 3.15.9, allowing attackers to inject malicious scripts into web pages that execute in victims' browsers when they click specially crafted links. The vulnerability has a CVSS score of 7.1 and requires user interaction but can impact confidentiality, integrity, and availability across different origins due to its scope change characteristic. While not currently listed in CISA KEV or showing high EPSS scores, the vulnerability represents a moderate risk for WordPress sites using this real estate listing plugin.

Technical ContextAI

The Flexmls® IDX plugin (CPE: cpe:2.3:a:flexmls:flexmls®_idx:*:*:*:*:*:*:*:*) is a WordPress plugin used for integrating MLS (Multiple Listing Service) real estate data into websites. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-supplied input is not properly sanitized before being reflected back in the HTML response. This allows attackers to inject arbitrary JavaScript or HTML that executes in the context of the vulnerable domain when a victim visits a malicious URL containing the payload.

RemediationAI

Upgrade the Flexmls® IDX WordPress plugin to version 3.15.10 or later, which should contain the security fix for this XSS vulnerability. Until patching is possible, implement Content Security Policy (CSP) headers to restrict inline script execution and consider using a Web Application Firewall (WAF) to filter malicious XSS payloads. Monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/flexmls-idx/vulnerability/wordpress-flexmls-idx-plugin-3-15-9-reflected-cross-site-scripting-xss-vulnerability for updates and ensure WordPress core and all plugins are kept current.

Share

EUVD-2026-12445 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy