CVE-2026-27425
Deferred Deferred - Pending Action

Unauthenticated XSS in Automotive Listings

Vulnerability report for CVE-2026-27425, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Patchstack

Description

Unauthenticated Cross Site Scripting (XSS) in Automotive Listings <= 18.6 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
patchstack automotive_listings_plugin to 18.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-27425 is a Cross Site Scripting (XSS) vulnerability found in the WordPress Automotive Listings Plugin versions 18.6 and below.

This vulnerability allows attackers to inject malicious scripts into websites using the plugin. When visitors access the affected site, these scripts can execute, potentially causing unwanted actions such as redirects or displaying malicious content.

Exploitation requires user interaction, like clicking a malicious link or visiting a crafted page, and typically involves a privileged user role.

Impact Analysis

This vulnerability can lead to attackers executing malicious scripts on your website, which may result in unauthorized redirects, display of unwanted or harmful content, and potential compromise of user data.

Because the CVSS score is 7.1, it represents a moderately dangerous risk that could be exploited in widespread attacks targeting many websites.

Successful exploitation requires user interaction, so users might be tricked into clicking malicious links or visiting crafted pages.

Detection Guidance

The vulnerability involves Cross Site Scripting (XSS) in the WordPress Automotive Listings Plugin versions 18.6 and below. Detection typically involves monitoring for suspicious script injections or unusual redirects triggered by user interactions.

While no specific detection commands are provided, you can look for unusual HTTP requests containing suspicious script payloads targeting the plugin endpoints or monitor web server logs for patterns of reflected XSS attempts.

Additionally, using web vulnerability scanners that support XSS detection on WordPress plugins may help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include updating the Automotive Listings Plugin to a version higher than 18.6 once an official patch is released.

Until an official fix is available, applying the mitigation rule provided by Patchstack to block attack attempts is advised.

You should also consider seeking assistance from your hosting provider or a developer to implement temporary protections and monitor for exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27425. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart