CVE-2025-63046

Vulnerability

Overview

CVE-2025-63046 is a DOM-Based Cross-Site Scripting (XSS) vulnerability found in the CridioStudio ListingPro plugin for WordPress, affecting all versions up to and including 2.9.9. The root cause is improper neutralization of user-supplied input during web page generation, which allows an attacker to inject arbitrary JavaScript into the DOM of a victim's browser [1].

Exploitation

Prerequisites

Exploitation requires user interaction: a privileged user (such as an administrator) must perform an action like clicking a crafted link or visiting a specially prepared page. The vulnerability can be triggered by any role with the required privilege level, but successful execution depends on the victim performing that action [1].

Impact

If exploited, an attacker can inject malicious scripts—such as redirects, advertisements, or other HTML payloads—into the website. These scripts execute when other users (including guests) visit the site's visitors) access the affected page, potentially leading to session hijacking, session hijacking, or defacement [1].

Mitigation

The vendor has not released a patch beyond version 2.9.9. Users are strongly advised to update the plugin immediately if a newer version becomes available. If updating is not possible, contacting the hosting provider or a web developer for assistance is recommended. This vulnerability is known to be used in mass-exploit campaigns [1].