Skip to main content

Classified Listing EUVDEUVD-2026-36823

| CVE-2026-42658 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-8gjj-f8v8-88pg
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable unauthenticated XSS (AV:N/AC:L/PR:N) needing victim click (UI:R); script runs in broader WordPress context so S:C with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:00 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Classified Listing <= 5.3.8 versions.

AnalysisAI

Unauthenticated reflected/stored Cross-Site Scripting in the Classified Listing WordPress plugin versions 5.3.8 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and carries CVSS 7.1 due to the scope change affecting the broader WordPress site context, though no public exploit identified at time of analysis. Risk is elevated for sites running the plugin in publicly accessible classified/marketplace deployments where untrusted visitor input is processed.

Technical ContextAI

Classified Listing is a WordPress plugin by author Mamunur Rashid (CPE cpe:2.3:a:mamunur_rashid:classified_listing) that turns a WordPress site into a classifieds/marketplace platform supporting listings, categories, and user submissions. The underlying weakness is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input is rendered into HTML output without adequate encoding or sanitization, letting attacker-supplied markup execute as script in the DOM. Because the plugin accepts data from unauthenticated visitors (a core feature of classifieds platforms), the injection surface is exposed without prior login.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should upgrade Classified Listing to the latest version above 5.3.8 as published on the WordPress.org plugin repository and verify via the Patchstack entry at https://patchstack.com/database/wordpress/plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-5-3-8-cross-site-scripting-xss-vulnerability. Until patched, compensating controls include placing the site behind a WAF with XSS rules (e.g., Patchstack, Wordfence) tuned for Classified Listing endpoints, restricting unauthenticated submission forms via reCAPTCHA or login-required gating (trade-off: reduces classifieds functionality for visitors), and setting a strict Content-Security-Policy header that disallows inline scripts and limits script-src to trusted origins (trade-off: may break themes or plugins relying on inline JavaScript and requires testing). Administrators should also avoid clicking unsolicited links to the affected site while a patch is pending, since exploitation requires user interaction.

CVE-2022-2655 MEDIUM POC
6.1 Sep 16

The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in a

CVE-2022-2654 MEDIUM POC
6.1 Sep 16

The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classifie

CVE-2024-1315 HIGH
8.8 Apr 09

The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Req

CVE-2023-37387 HIGH
8.8 Jul 18

Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin <= 2.4.5 versions. Rated high s

CVE-2026-57344 HIGH
7.1 Jul 02

Cross-site scripting in the Classified Listing WordPress plugin (by RadiusTheme) versions 5.4.2 and earlier lets a remot

CVE-2024-1352 MEDIUM
6.5 Apr 09

The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized a

CVE-2026-57355 MEDIUM
6.5 Jul 02

Broken access control in the Classified Listing WordPress plugin (versions <= 5.4.2) allows subscriber-level authenticat

CVE-2026-42640 MEDIUM
6.5 Jun 15

Broken Access Control in the Classified Listing WordPress plugin (versions ≤ 5.3.8) allows unauthenticated remote attack

CVE-2026-42679 MEDIUM
6.5 Jun 01

Path traversal in the Classified Listing WordPress plugin (versions through 5.3.8) enables authenticated low-privileged

CVE-2026-42651 MEDIUM
6.3 Jun 15

Broken access control in the Classified Listing WordPress plugin (versions ≤ 5.3.9) allows subscriber-level authenticate

CVE-2025-1063 MEDIUM
5.3 Feb 25

The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Info

CVE-2024-3893 MEDIUM
4.3 Apr 25

The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized l

Share

EUVD-2026-36823 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy