CVE-2025-64376 is a reflected Cross-site Scripting (XSS) vulnerability found in the ListingPro plugin developed by CridioStudio, affecting all versions prior to 2.9.10. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is reflected back to users. When a victim interacts with a crafted URL or input, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, defacement, or redirection to malicious sites. The CVSS 3.1 score of 7.1 indicates a high-severity issue with network attack vector, low attack complexity, no privileges required, but user interaction necessary. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. Confidentiality, integrity, and availability impacts are all rated low to medium but combined justify a high severity. No known exploits are currently reported in the wild, but public disclosure increases risk. ListingPro is a popular WordPress directory plugin used by businesses to list services and locations, making it a valuable target for attackers aiming to compromise business websites or their users. The vulnerability was reserved in late October 2025 and published in December 2025, with no patch links currently provided, indicating that organizations must monitor for updates or apply mitigations proactively.

For European organizations, this vulnerability poses a significant risk to websites using the ListingPro plugin, especially those operating local business directories or service listings. Exploitation can lead to theft of user credentials, session tokens, and personal data, undermining user trust and potentially violating GDPR requirements. Attackers could also deface websites or redirect users to phishing or malware sites, damaging brand reputation and causing operational disruptions. Since ListingPro is widely used in small to medium enterprises and local business platforms, the impact could cascade to customers and partners relying on these services. The reflected XSS nature means attacks often come via phishing or malicious links, increasing the risk to end-users and employees. Additionally, compromised sites could be leveraged as part of larger attack campaigns or to distribute malware, amplifying the threat landscape in Europe. The lack of an immediate patch increases exposure time, necessitating urgent mitigation efforts.

Organizations should immediately verify their use of the ListingPro plugin and upgrade to version 2.9.10 or later once available. Until a patch is released, apply Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting ListingPro endpoints. Implement strict input validation and output encoding on all user-supplied data, especially in URL parameters and form inputs processed by ListingPro. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of any successful injection. Educate users and administrators about the risks of clicking untrusted links and monitor web logs for suspicious activity indicative of attempted exploitation. Regularly audit and update all WordPress plugins and themes to minimize exposure to known vulnerabilities. Consider isolating critical business directories behind additional authentication or access controls to reduce attack surface. Engage with CridioStudio support channels for timely patch information and guidance.