CVE-2026-28122

The CridioStudio ListingPro plugin for WordPress (versions up to and including 2.9.8) contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw occurs when the plugin fails to sanitize or escape input reflected in a response, allowing an attacker to inject arbitrary HTML or JavaScript.

Exploitation requires user interaction, such as clicking a crafted link or visiting a malicious page. An attacker does not need authentication to trigger the vulnerability, but the target user must perform an action (e.g., clicking a link) for the payload to execute [1]. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of sites regardless of size.

Successful exploitation allows an attacker to inject malicious scripts that can perform actions like redirecting visitors to attacker-controlled sites, displaying advertisements, or stealing sensitive data. The CVSS 3.1 score is 7.1 (High), indicating moderate severity with a potential for widespread abuse [1].

Mitigation is advised immediately. Users should update the ListingPro plugin to a patched version beyond 2.9.8. If an update is unavailable, a mitigation rule from Patchstack can block attacks until an official patch is applied [1].