CVE-2025-54698 is a medium-severity vulnerability classified under CWE-80, which pertains to improper neutralization of script-related HTML tags in a web page, commonly known as Cross-Site Scripting (XSS). This vulnerability affects the RadiusTheme Classified Listing product, specifically versions up to 5.0.0. The flaw allows an attacker with at least low privileges (PR:L) and requiring user interaction (UI:R) to inject malicious scripts into web pages served by the Classified Listing application. The vulnerability is remotely exploitable (AV:N) with low attack complexity (AC:L), and it impacts the integrity and availability of the affected system, but not confidentiality directly. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. The CVSS 3.1 base score is 5.4, reflecting a medium severity level. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability arises from insufficient sanitization or encoding of user-supplied input that is reflected or stored and then rendered in the web interface, allowing script injection that can execute in the context of other users' browsers. This can lead to session hijacking, defacement, or denial of service through script execution. The requirement for user interaction means that an attacker must trick a user into clicking a crafted link or visiting a malicious page that triggers the payload. The vulnerability's presence in a classified listings platform suggests that attackers could target end users or administrators who manage listings, potentially compromising their sessions or manipulating listing data. Given the nature of the product, which is often used by small to medium enterprises or local marketplaces, the impact could be significant in terms of trust and operational disruption.

For European organizations using RadiusTheme Classified Listing, this vulnerability poses a risk primarily to the integrity and availability of their web services. Attackers could exploit this XSS flaw to execute malicious scripts in the browsers of users or administrators, leading to session hijacking, unauthorized actions, or defacement of listings. This could damage the reputation of businesses relying on the platform, cause loss of customer trust, and disrupt normal operations. Since the vulnerability requires user interaction and some privilege, phishing or social engineering campaigns could be used to exploit it. The impact is heightened in sectors where classified listings are critical for business operations, such as real estate, automotive sales, or local services. Additionally, the scope change indicates that the vulnerability could affect other components or user sessions beyond the initial injection point, potentially amplifying the damage. While confidentiality is not directly impacted, the indirect effects of session hijacking could lead to data exposure. The lack of known exploits in the wild currently reduces immediate risk, but the medium severity and ease of exploitation suggest that attackers could develop exploits rapidly once the vulnerability is public. European organizations must be vigilant, especially those with public-facing classified listing sites, to prevent reputational and operational harm.

1. Immediate mitigation should include implementing strict input validation and output encoding on all user-supplied data fields within the Classified Listing application to neutralize script tags and other executable content. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, limiting the impact of any injected scripts. 3. Use HTTP-only and secure flags on session cookies to reduce the risk of session hijacking via XSS. 4. Educate users and administrators about phishing risks and the importance of not clicking suspicious links, as exploitation requires user interaction. 5. Monitor web application logs and user activity for unusual behavior that could indicate attempted exploitation. 6. Since no patch is currently linked, organizations should contact RadiusTheme for updates or consider temporary workarounds such as disabling vulnerable features or restricting access to trusted users only. 7. Regularly update and audit third-party plugins and themes to ensure no additional vulnerabilities are present. 8. Implement web application firewalls (WAF) with rules to detect and block common XSS attack patterns targeting the Classified Listing product.