ListingPro <= - Reflected & Persistent XSS

Reflected & Persistent XSS was discovered in the «ListingPro - WordPress Directory Theme». Current version is (August 9th 2019).

Edit (WPScanTeam):
November 29th, 2019 - Envato Informed
November 29th, 2019 - Envato Investigating
December 4th, 2019 - v2.0.14.3 Released, fixing the reflected XSS but not the stored one. Envato notified again.
December 5th, 2019 - v2.0.14.4 released, stored XSS still present.
December 5th, 2019 - Envato Confirmed Stored XSS still present.
December 12th, 2019 - v2.0.14.5 released, fixing the stored XSS.
Proof of Concept
----[]- Reflected XSS: -[]----
Use your payload inside the «What» input field on the homepage ( ) and then submit the form — payload will be triggered.

Payload Sample #0: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">
Payload Sample #1: "><img src=x onerror=alert(`SUBVΞRSΛ`)>

PoC Link:

----[]- Persistent XSS: -[]----
You need a new basic user account (register your own or use mine: kadajik5554913/hYWeOJdr5Mqe), then go to the page for new listing submit. Choose the «Free» plan and press «Continue» button. On the next page you need to choose any category and after that you'll see the vulnerable input fields: «Best Day/Night» and «Good For» (for some categories you'll see only one vulnerable input field — «Good For»). Use your payload inside vulnerable input field(-s) and save your listing.

Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: "><img src=x onerror=window.location.replace(``)>

PoC: log in as kadajik5554913/hYWeOJdr5Mqe (login/password) and go to the page.

Affects Theme

fixed in version


CVE 2019-19540
CVE 2019-19541
CVE 2019-19542


Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)


Original Researcher SUBVΞRSΛ
Submitter SUBVΞRSΛ
Views 205958
Verified No


Publicly Published 2019-11-29 (7 months ago)
Added 2019-12-13 (7 months ago)
Last Updated 2019-12-27 (6 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin