CVE-2025-63046 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the ListingPro plugin developed by CridioStudio, affecting all versions up to and including 2.9.9. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, specifically within client-side scripts that manipulate the Document Object Model (DOM). This flaw allows attackers to inject malicious JavaScript code that executes in the context of the victim's browser when they visit a compromised or crafted page. Unlike traditional reflected or stored XSS, DOM-based XSS occurs entirely on the client side, making detection and mitigation more challenging. The vulnerability does not require authentication, increasing the attack surface to any visitor of affected sites. Potential attack vectors include crafted URLs or manipulated input fields that ListingPro processes without adequate sanitization or encoding. Exploitation can lead to session hijacking, theft of sensitive user data, unauthorized actions on behalf of users, or defacement of web content. Although no known exploits are currently reported in the wild and no official patches have been released, the vulnerability is publicly disclosed and thus may attract attackers. The plugin is widely used in WordPress environments for business directory and listing services, making it a valuable target for attackers aiming to compromise multiple sites. The absence of a CVSS score necessitates an independent severity assessment based on the vulnerability's characteristics.

For European organizations, especially those operating public-facing websites using the ListingPro plugin, this vulnerability poses a significant risk. Successful exploitation can compromise user accounts, leak sensitive information, and damage organizational reputation. Given the plugin's role in managing business listings and directories, attackers could manipulate displayed information, potentially misleading customers or damaging trust. The vulnerability's client-side nature means that any user visiting a compromised page is at risk, broadening the impact scope. Additionally, organizations in sectors relying heavily on online presence, such as tourism, retail, and local services, may face operational disruptions or legal consequences under GDPR if user data is exposed. The lack of authentication requirement and ease of exploitation increase the likelihood of attacks, potentially leading to widespread compromise across multiple sites using the vulnerable plugin.

Organizations should immediately audit their WordPress installations to identify the use of the ListingPro plugin and confirm the version in use. Until an official patch is released, implement strict Content Security Policies (CSP) to restrict script execution and reduce the impact of XSS attacks. Employ web application firewalls (WAFs) with rules targeting DOM-based XSS patterns to detect and block malicious payloads. Developers and site administrators should review and sanitize all user inputs, especially those reflected in client-side scripts or URLs, using robust encoding libraries. Regularly monitor security advisories from CridioStudio and Patchstack for updates or patches and apply them promptly. Educate users and administrators about the risks of clicking suspicious links and encourage the use of security-focused browser extensions. Conduct penetration testing focusing on client-side vulnerabilities to identify and remediate similar issues proactively.