Skip to main content

Listingpro

6 CVEs product

Monthly

CVE-2026-39438 CRITICAL Act Now

Unauthenticated SQL injection in the ListingPro WordPress plugin (versions ≤ 2.9.10) allows remote attackers to inject arbitrary SQL into backend queries without credentials, exposing the WordPress database to extraction and manipulation. Reported by Patchstack and tracked as EUVD-2026-37469, the flaw carries a 9.3 CVSS with scope change, indicating impact beyond the vulnerable component. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Listingpro
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2020-36723 MEDIUM POC THREAT This Month

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Sensitive Data Exposure in versions before 2.6.1 via the ~/listingpro-plugin/functions.php file. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 20.7%.

PHP Information Disclosure WordPress Listingpro
NVD VulDB
CVSS 3.1
5.3
EPSS
20.7%
CVE-2020-36719 CRITICAL POC THREAT Emergency

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 74.3%.

Authentication Bypass WordPress Listingpro
NVD VulDB
CVSS 3.1
9.8
EPSS
74.3%
Threat
5.7
CVE-2019-19542 MEDIUM POC This Month

The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS via the Good For field on the new listing submit page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Listingpro
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2019-19541 MEDIUM POC This Month

The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS via the Best Day/Night field on the new listing submit page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Listingpro
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2019-19540 MEDIUM POC This Month

The ListingPro theme before v2.0.14.2 for WordPress has Reflected XSS via the What field on the homepage. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Listingpro
NVD
CVSS 3.1
6.1
EPSS
0.9%
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the ListingPro WordPress plugin (versions ≤ 2.9.10) allows remote attackers to inject arbitrary SQL into backend queries without credentials, exposing the WordPress database to extraction and manipulation. Reported by Patchstack and tracked as EUVD-2026-37469, the flaw carries a 9.3 CVSS with scope change, indicating impact beyond the vulnerable component. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Listingpro
NVD
EPSS 21% CVSS 5.3
MEDIUM POC THREAT This Month

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Sensitive Data Exposure in versions before 2.6.1 via the ~/listingpro-plugin/functions.php file. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 20.7%.

PHP Information Disclosure WordPress +1
NVD VulDB
EPSS 74% 5.7 CVSS 9.8
CRITICAL POC THREAT Emergency

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 74.3%.

Authentication Bypass WordPress Listingpro
NVD VulDB
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS via the Good For field on the new listing submit page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Listingpro
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS via the Best Day/Night field on the new listing submit page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Listingpro
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

The ListingPro theme before v2.0.14.2 for WordPress has Reflected XSS via the What field on the homepage. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Listingpro
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy