This vulnerability in ListingPro (<= 2.9.4) arises from improper neutralization of special elements in SQL commands, enabling SQL Injection attacks. The CVSS 3.1 score of 9.3 reflects its critical severity, with network attack vector, low attack complexity, no privileges or user interaction required, and a scope change. The primary impact is high confidentiality loss, with limited availability impact. No vendor advisory or patch links are currently available, and the product is not a cloud service, so remediation depends on vendor patch releases.

Successful exploitation could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database, potentially leading to disclosure of sensitive information (high confidentiality impact) and minor disruption of service (low availability impact). Integrity impact is not indicated. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the vulnerable plugin or disabling it if possible. Monitor vendor channels for updates and apply patches promptly once available.