CVE-2026-25369
Reflected XSS in Flexmls IDX Allows Webpage Script Injection
Publication date: 2026-03-16
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flexmls | flexmls_idx | to 3.15.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25369 is a medium severity Cross Site Scripting (XSS) vulnerability affecting the WordPress Flexmls® IDX Plugin versions up to and including 3.15.9.
This vulnerability allows attackers to inject malicious scripts—such as redirects, advertisements, or other HTML payloads—that execute when site visitors access the compromised website.
Exploitation requires user interaction by a privileged user, such as clicking a malicious link, visiting a crafted page, or submitting a form.
The vulnerability falls under the OWASP Top 10 category A3: Injection.
How can this vulnerability impact me? :
This vulnerability can lead to the execution of malicious scripts on your website, which may result in unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads.
Such exploitation can compromise the integrity and trustworthiness of your website, potentially harming your users and damaging your reputation.
Because the vulnerability requires user interaction by a privileged user, attackers might trick users into performing actions that trigger the malicious scripts.
The CVSS score of 7.1 indicates a moderate level of danger and a likelihood of exploitation in widespread attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is a reflected Cross Site Scripting (XSS) issue in the WordPress Flexmls® IDX Plugin versions up to 3.15.9. Detection typically involves monitoring for suspicious HTTP requests that include malicious script payloads or unusual URL parameters that could trigger the reflected XSS.'}, {'type': 'paragraph', 'content': 'Common detection methods include analyzing web server logs for suspicious query strings or payloads, and using web vulnerability scanners that can test for reflected XSS vulnerabilities.'}, {'type': 'list_item', 'content': 'Use tools like curl or wget to send crafted requests with typical XSS payloads to the suspected endpoints and observe the responses.'}, {'type': 'list_item', 'content': 'Example command to test for reflected XSS using curl:'}, {'type': 'paragraph', 'content': 'curl -i "http://yourwebsite.com/path?param=<script>alert(\'XSS\')</script>"'}, {'type': 'list_item', 'content': 'Check the HTTP response for the reflected script tag or payload indicating vulnerability.'}, {'type': 'list_item', 'content': 'Use web vulnerability scanners such as OWASP ZAP or Burp Suite to automate detection of reflected XSS.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update the WordPress Flexmls® IDX Plugin to version 3.15.10 or later, where this vulnerability has been patched.
Until the update can be applied, applying Patchstack mitigation rules can help block attacks targeting this vulnerability.
- Update the Flexmls® IDX Plugin to version 3.15.10 or later.
- Implement Patchstack mitigation rules to block malicious payloads.
- Limit user interactions with untrusted links or inputs that could trigger the vulnerability.
These steps reduce the risk of exploitation while ensuring the plugin is secured against this reflected XSS vulnerability.