CVE-2025-64376

Vulnerability

Overview

CVE-2025-64376 is a reflected Cross-Site Scripting (XSS) vulnerability in the WordPress ListingPro theme by CridioStudio. The issue stems from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary script to be injected into a response pages. This affects all versions of the theme from n/a through 2.9.9 [1].

Exploitation

Details

An attacker can exploit this flaw by crafting a malicious URL containing a script payload. Successful exploitation requires a privileged user (e.g., an administrator) to interact with the crafted link—such as clicking it or visiting a specially prepared page. No authentication is needed to deliver the payload, but user interaction is required for execution [1].

Impact

If exploited, the attacker can inject arbitrary HTML and JavaScript into the victim's browser session within the context of the affected WordPress site. This could lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of sites regardless of size or popularity [1].

Mitigation

The vendor has released a patched version 2.9.10. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a virtual mitigation rule to block attacks until the theme is updated [1].