CVE-2025-69089

Description

The Auto Listings WordPress plugin versions up to and including 2.7.1 suffer from a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This means that input provided by certain authenticated users is not safely sanitized before being stored and later displayed to other users.

Exploitation

To exploit this vulnerability, an attacker needs at least contributor-level access to the WordPress site. The attacker can inject arbitrary HTML and JavaScript into listings or other content fields. When a privileged user (like an admin) later views the injected content, the malicious script executes in their browser. User interaction is required for successful exploitation, such as clicking a link or visiting a crafted page [1].

Impact

Successful exploitation allows an attacker to inject malicious scripts that can perform actions including redirecting visitors to malicious sites, displaying advertisements, or stealing session cookies. Since the script is stored and executed for every visitor viewing the affected content, this can lead to widespread compromise of site visitors and potential privilege escalation if an admin's session is hijacked [1].

Mitigation

The vendor has released version 2.7.2 which fixes this vulnerability. Users are strongly advised to update immediately. If unable to update, contacting the hosting provider or a web developer for assistance is recommended. The vulnerability has a CVSS score of 6.5 (Medium) and is listed as requiring user interaction for exploitation, but can be used in mass-exploit campaigns against thousands of sites [1].