Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Network-delivered XSS requires subscriber auth (PR:L) and victim page view (UI:R) with browser scope change; availability impact is not a realistic XSS outcome and is assessed as N.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Cross Site Scripting (XSS) in ListingPro <= 2.9.11 versions.
AnalysisAI
Stored Cross-Site Scripting in ListingPro WordPress theme versions 2.9.11 and below allows authenticated subscriber-level users to inject malicious JavaScript that executes in the browsers of other users who view the affected page. The CVSS scope change (S:C) confirms the injected payload breaks out of the application's security boundary and runs in the victim's browser context, enabling session hijacking or unauthorized actions on behalf of higher-privileged users. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress subscriber account on the target site - the lowest authenticated role, obtainable by self-registration on sites with open enrollment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 6.5 Medium rating reflects a balanced set of signals: network-delivered (AV:N), low complexity (AC:L), but requiring low-privilege authentication (PR:L) and victim interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on an open-registration WordPress directory site running ListingPro 2.9.11 or earlier, then submits a listing or profile field containing a crafted JavaScript payload such as an image tag with an onerror handler. When a site administrator reviews or moderates the submission, the script executes in the administrator's browser, exfiltrating their session cookie or WordPress nonce to an attacker-controlled server, enabling account takeover without further authentication. |
| Remediation | Update the ListingPro WordPress theme to a version released after 2.9.11 as soon as one is available from the vendor; consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/listingpro/vulnerability/wordpress-listingpro-theme-2-9-11-cross-site-scripting-xss-vulnerability for patch availability updates. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39707
GHSA-pmwg-h2c7-w359