CVE-2025-63048

Vulnerability

Overview

The ListingPro Lead Form plugin for WordPress, versions up to and including 1.0.1.7, contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw enables an attacker to inject arbitrary script execution in the context of a victim's browser session.

Exploitation

Details

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page [1]. The attack vector is network-based, and no authentication is required (privileged user role), and the complexity is low. The vulnerability is classified as DOM-Based XSS, meaning the payload is executed client-side and does not require server-side reflection.

Impact

Successful exploitation allows an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, which execute when visitors access the affected site [1]. This can lead to data theft, session hijacking, or defacement.

Mitigation

The vendor has not released a patched version; users are advised to update the plugin immediately if a fix becomes available. As a workaround, restrict access to the plugin's functionality and consider using a web application firewall or security plugin to filter malicious input [1]. The vulnerability is known to be used in mass-exploit campaigns, emphasizing the need for prompt action.