{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25369", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:55.300Z", "datePublished": "2026-03-16T14:13:48.908Z", "dateUpdated": "2026-05-11T20:50:26.639Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "flexmls-idx", "product": "Flexmls\u00ae IDX", "vendor": "flexmls", "versions": [{"changes": [{"at": "3.15.10", "status": "unaffected"}], "lessThanOrEqual": "3.15.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Riski Gana Prasetya | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:05.406Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexmls Flexmls\u00ae IDX flexmls-idx allows Reflected XSS.<p>This issue affects Flexmls\u00ae IDX: from n/a through <= 3.15.9.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexmls Flexmls\u00ae IDX flexmls-idx allows Reflected XSS.This issue affects Flexmls\u00ae IDX: from n/a through <= 3.15.9."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:56.899Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/flexmls-idx/vulnerability/wordpress-flexmls-idx-plugin-3-15-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Flexmls\u00ae IDX plugin <= 3.15.9 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T15:00:15.208193Z", "id": "CVE-2026-25369", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-11T20:50:26.639Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25369", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:55.300Z", "datePublished": "2026-03-16T14:13:48.908Z", "dateUpdated": "2026-05-11T20:50:26.639Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "flexmls-idx", "product": "Flexmls\u00ae IDX", "vendor": "flexmls", "versions": [{"changes": [{"at": "3.15.10", "status": "unaffected"}], "lessThanOrEqual": "3.15.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Riski Gana Prasetya | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:05.406Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexmls Flexmls\u00ae IDX flexmls-idx allows Reflected XSS.<p>This issue affects Flexmls\u00ae IDX: from n/a through <= 3.15.9.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexmls Flexmls\u00ae IDX flexmls-idx allows Reflected XSS.This issue affects Flexmls\u00ae IDX: from n/a through <= 3.15.9."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:56.899Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/flexmls-idx/vulnerability/wordpress-flexmls-idx-plugin-3-15-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Flexmls\u00ae IDX plugin <= 3.15.9 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25369", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T15:00:15.208193Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:00:18.095Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexmls Flexmls\u00ae IDX flexmls-idx allows Reflected XSS.This issue affects Flexmls\u00ae IDX: from n/a through <= 3.15.9."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en Flexmls Flexmls\u00ae IDX permite XSS Reflejado. Este problema afecta a Flexmls\u00ae IDX: desde n/a hasta 3.15.9."}], "id": "CVE-2026-25369", "lastModified": "2026-04-23T15:37:06.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-16T15:16:21.530", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/flexmls-idx/vulnerability/wordpress-flexmls-idx-plugin-3-15-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.15.9]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "3.15.10"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Flexmls\u00ae IDX", "source": "cna", "vendor": "Flexmls"}, "product": "flexmls_idx", "vendor": "flexmls"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T22:21:46.209694+00:00", "value": {"mitigation_remediation": ["Upgrade the Flexmls\u00ae IDX plugin to version 3.16.0 or later.", "If upgrade is not possible at the moment, deactivate the Flexmls\u00ae IDX plugin to prevent the vulnerability from being exposed.", "Configure a web application firewall or add web\u2011server rules to block malicious input patterns and enforce a strict Content Security Policy to mitigate any remaining XSS risk.", "Run or use a sanitization plugin that escapes all user\u2011generated content served by the Flexmls\u00ae IDX plugin to add an extra layer of protection."], "summary": {"action": "Immediate Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the Flexmls\u00ae IDX plugin for WordPress up to and including version 3.15.9. Any WordPress site that has installed the plugin at or below this version is at risk; no other components or versions are known to be affected.", "description_and_impact": "A reflected cross\u2011site scripting flaw exists in the Flexmls\u00ae IDX WordPress plugin caused by improper neutralization of user input, a weakness identified as CWE\u201179. When a victim visits a specially crafted request or submits data that is echoed back in the page, an attacker can inject arbitrary JavaScript. Such injected code can steal credentials, hijack sessions, deface the site, or redirect users to malicious destinations, thereby compromising the confidentiality, integrity, and availability of the WordPress installation.", "risk_and_exploitability": "The EPSS score indicates a low exploitation probability (under 1%), and the flaw is not listed in the CISA KEV catalog. Nevertheless, reflected XSS can be triggered simply by a crafted URL or form input, making it readily exploitable by an attacker who can lure a legitimate user to a malicious link. Although a published exploit is not available, the attack surface is accessible via standard web requests, and social engineering can increase the likelihood of victim interaction. The CVSS base score of 7.1 reflects a high severity assessment under common risk models."}}}}, "created": "2026-03-17T09:52:53.362925+00:00", "updated": "2026-04-28T22:30:41.613456+00:00", "vendors": ["flexmls", "flexmls$PRODUCT$flexmls_idx", "wordpress", "wordpress$PRODUCT$wordpress"]}