Atomic Edge analysis of CVE-2026-28122 (metadata-based):
This vulnerability is a reflected cross-site scripting (XSS) issue in the ListingPro WordPress plugin version 2.9.8 and earlier. The CWE-79 classification confirms improper neutralization of input during web page generation. The description states insufficient input sanitization and output escaping enables unauthenticated attackers to inject arbitrary web scripts. Attackers must trick users into clicking a malicious link. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network accessibility, low attack complexity, no privileges required, user interaction needed, scope change potential, and low confidentiality/integrity impact. Atomic Edge research infers the vulnerability likely exists in a public-facing plugin endpoint that echoes user-supplied parameters without proper escaping. Common WordPress patterns for such vulnerabilities include AJAX handlers (admin-ajax.php), REST API endpoints, or direct PHP file access. The plugin slug ‘listingpro-plugin’ suggests AJAX action names may contain ‘listingpro’ or ‘lp_’ prefixes. The fix requires adding proper output escaping functions like esc_html() or esc_attr() before printing user input. Exploitation could lead to session hijacking, malicious redirects, or content modification within the plugin’s context.