Skip to main content

Automotive Listings EUVDEUVD-2026-41334

| CVE-2026-27425 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-jcxf-hgc5-3v4w
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network-reachable reflected XSS (PR:N, AV:N) needing victim click (UI:R); browser-context execution changes scope (S:C) with low C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:10 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Automotive Listings <= 18.6 versions.

AnalysisAI

Reflected Cross-Site Scripting in the Automotive Listings WordPress plugin (versions 18.6 and earlier) lets remote unauthenticated attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported by Patchstack and classified CWE-79 with a CVSS 3.1 score of 7.1 (scope-changed, low impact across confidentiality, integrity, and availability), the flaw requires user interaction but no authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious URL with XSS payload
Delivery
Deliver crafted link to victim
Exploit
Victim opens link in browser
Execution
Reflected payload executes as script
Impact
Steal session or perform actions

Vulnerability AssessmentAI

Exploitation Exploitation requires an attacker to craft a malicious link targeting the vulnerable reflected parameter in Automotive Listings 18.6 or earlier and to convince a victim to click it (UI:R) - the payload is not persisted, so each attack is per-request and per-victim. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, base 7.1) indicates a network-reachable, low-complexity, unauthenticated attack that nonetheless depends on user interaction (a victim clicking a crafted link), which is typical and consistent for reflected XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a vulnerable Automotive Listings page with a malicious script embedded in a reflected parameter and delivers it to a victim via phishing email, chat, or a malicious link. When the victim (potentially a logged-in site administrator) clicks the link, the injected JavaScript executes in their browser session, enabling actions such as session/cookie theft, forced admin requests, or redirection. …
Remediation No vendor-released patch version is identified in the available data, so the primary action is to consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/automotive/vulnerability/wordpress-automotive-listings-plugin-18-6-reflected-cross-site-scripting-xss-vulnerability) and upgrade to any release later than 18.6 once published by ThemeSuite. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress instances running Automotive Listings plugin versions 18.6 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41334 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy