CVE-2026-42658

Vulnerability

An unauthenticated Cross-Site Scripting (XSS) vulnerability exists in the Classified Listing plugin for WordPress, affecting versions up to and including 5.3.8 [1]. The flaw allows an attacker to inject arbitrary JavaScript or HTML into the application without requiring authentication, but successful exploitation depends on a privileged user (such as an administrator) performing an action like clicking a malicious link or visiting a crafted page [1].

Exploitation

To exploit this vulnerability, an attacker crafts a malicious link or page containing the XSS payload. The attacker does not need to be authenticated, but the victim must be a logged-in user with elevated privileges (e.g., admin) who interacts with the crafted content [1]. When the victim clicks the link or submits a form, the injected script executes in the context of the victim's session, potentially allowing further actions.

Impact

Successful exploitation enables the attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which execute when visitors access the affected site [1]. This can lead to information disclosure, site defacement, or further compromise of the WordPress installation and its users.

Mitigation

The vendor has released version 5.3.9, which fixes the vulnerability [1]. Users are strongly advised to update to 5.3.9 or later immediately. For those unable to update, Patchstack offers a mitigation rule that blocks attacks until the patch is applied [1]. No other workarounds are documented in the available reference.