CVE-2022-2654 is a reflected Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the Classified Listing – Classified ads & Business Directory Plugin and related components of the Classima WordPress theme prior to specified versions (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store & Membership before 1.4.20, and Classima Core before 1.10). The vulnerability arises because these versions fail to properly escape user-supplied input parameters before reflecting them back into HTML attributes. This improper sanitization allows an attacker to inject malicious JavaScript code into the web page, which is then executed in the context of the victim's browser when they interact with the affected page. The vulnerability is exploitable remotely without authentication (AV:N/AC:L/PR:N), but requires user interaction (UI:R), such as clicking a crafted link. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact includes limited confidentiality and integrity loss (C:L/I:L), but no impact on availability (A:N). The CVSS v3.1 base score is 6.1, indicating a medium severity level. No known exploits in the wild have been reported to date. The vulnerability is specific to WordPress sites using the affected Classima theme and plugins, which are typically used to create classified ads and business directory websites. Attackers could leverage this vulnerability to steal session cookies, perform actions on behalf of authenticated users, or redirect users to malicious sites, potentially leading to account compromise or phishing attacks.

For European organizations, especially small and medium enterprises (SMEs) and local businesses relying on WordPress-based classified ads or business directory websites, this vulnerability poses a tangible risk. Exploitation could lead to theft of user credentials or session tokens, enabling attackers to impersonate legitimate users or administrators. This can result in unauthorized access to sensitive business information or customer data, violating GDPR requirements and leading to regulatory penalties. Additionally, successful XSS attacks can damage brand reputation and erode customer trust. Since many European businesses use WordPress due to its ease of use and cost-effectiveness, the attack surface is significant. Furthermore, sectors such as real estate, local commerce, and service providers that use classified ads platforms are particularly vulnerable. The reflected nature of the XSS means attackers must entice users to click malicious links, which could be distributed via email or social media, increasing the risk of targeted phishing campaigns within European markets.

To mitigate this vulnerability, organizations should immediately update the Classima theme and all related plugins to versions 2.1.11 or later for the theme, and 2.2.14 or later for Classified Listing plugins, where the issue has been fixed. If updates are not immediately possible, implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns that attempt to inject scripts into URL parameters or form inputs. Additionally, site administrators should enforce Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. Regular security audits and penetration testing focusing on input validation and output encoding should be conducted. Educating users about the risks of clicking unknown links can also reduce the likelihood of successful exploitation. Finally, monitoring web server logs for unusual query parameters or repeated suspicious requests can help detect attempted exploitation attempts early.