CVE-2026-56046
Deferred Deferred - Pending Action

Subscriber XSS in ListingPro <= 2.9.11

Vulnerability report for CVE-2026-56046, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description

Subscriber Cross Site Scripting (XSS) in ListingPro <= 2.9.11 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
patchstack listpro to 2.9.11 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WordPress ListingPro Theme, versions up to and including 2.9.11, is vulnerable to a Cross Site Scripting (XSS) attack. This means attackers can inject malicious scripts into the website, which may execute when visitors access the site.

Exploitation requires a privileged user, such as a Subscriber or Developer, to interact with a specially crafted link, page, or form.

The vulnerability has been fixed in version 2.9.12, and users are advised to update immediately.

Detection Guidance

This vulnerability involves Cross Site Scripting (XSS) in the ListingPro WordPress theme versions up to 2.9.11, which requires interaction by a privileged user with a crafted link, page, or form.

Detection typically involves monitoring for suspicious script injections or unusual redirects triggered by subscriber or developer interactions.

No specific detection commands or network/system scanning commands are provided in the available information.

Impact Analysis

If exploited, this vulnerability can allow attackers to execute malicious scripts on your website, which can lead to unwanted redirects or display of unauthorized content to your visitors.

Because the attack requires interaction from a privileged user, it could compromise the integrity and trustworthiness of your site.

The CVSS score of 6.5 indicates a medium severity impact, affecting confidentiality, integrity, and availability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The immediate recommended step is to update the ListingPro WordPress theme to version 2.9.12 or later, where the vulnerability has been patched.

Until the update can be applied, applying the mitigation rule provided by Patchstack to block attacks is advised.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56046. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart