How is CVE-2026-42658 exploited?

Network reachability (required): The attacker must reach the vulnerable WordPress installation over the network; no local or physical access is required. Authentication (not-required): No account or credentials are needed; the vulnerability is exploitable by any unauthenticated party. Victim interaction (required): A victim must interact with a malicious link or page (for example, clicking a crafted URL delivered via phishing or embedded content) to trigger the JavaScript payload in their browser. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other unpredictable environmental factors.

What is the impact of CVE-2026-42658?

An attacker executes arbitrary JavaScript in the victim's browser session, allowing theft of session cookies or authentication tokens for the affected WordPress site. Captured credentials or tokens enable the attacker to impersonate the victim and perform actions on the site with the victim's privilege level. Malicious scripts can modify page content visible to the victim, facilitating phishing, fake login forms, or redirection to attacker-controlled infrastructure. Depending on the victim's role, exploitation may expose stored personal data or classified listing content rendered on the page at the time of attack.

Back to search

HIGHCVE-2026-42658Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-42658: WordPress Classified Listing plugin <= 5.3.8 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-42658?

Reflected or stored cross-site scripting (XSS) vulnerability affects the Classified Listing WordPress plugin at version 5.3.8 and earlier. The vulnerability is reachable over the network, requires no authentication, and is triggered when a victim visits or interacts with a crafted URL or page. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, enabling session hijacking, credential theft, or unauthorized actions performed on the victim's behalf. No fix version has been published; HarborGuard tracks the advisory for patch availability.

Q: Is CVE-2026-42658 patched?

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on each ingest cycle and will make a patched-image rebuild available the moment a fix is released upstream. In the interim, compensating controls such as network-policy isolation and web application firewall rules can be tracked through the HarborGuard advisory monitor for this CVE.

Unauthenticated Cross Site Scripting (XSS) in Classified Listing <= 5.3.8 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Reflected or stored cross-site scripting (XSS) vulnerability affects the Classified Listing WordPress plugin at version 5.3.8 and earlier. The vulnerability is reachable over the network, requires no authentication, and is triggered when a victim visits or interacts with a crafted URL or page. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, enabling session hijacking, credential theft, or unauthorized actions performed on the victim's behalf. No fix version has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-42658 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including Patchstack. Coverage extends to custom-built container images that bundle the Classified Listing WordPress plugin.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.1 (HIGH) and weighting findings against each customer's per-environment compliance policy to reflect actual organizational risk tolerance. Triage routing to the appropriate team inbox within each customer organization is available as part of the standard pipeline.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on each ingest cycle and will make a patched-image rebuild available the moment a fix is released upstream. In the interim, compensating controls such as network-policy isolation and web application firewall rules can be tracked through the HarborGuard advisory monitor for this CVE.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the vulnerable WordPress installation over the network; no local or physical access is required.
AuthenticationNot required
No account or credentials are needed; the vulnerability is exploitable by any unauthenticated party.
Victim interactionRequired
A victim must interact with a malicious link or page (for example, clicking a crafted URL delivered via phishing or embedded content) to trigger the JavaScript payload in their browser.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other unpredictable environmental factors.

Blast Radius

An attacker executes arbitrary JavaScript in the victim's browser session, allowing theft of session cookies or authentication tokens for the affected WordPress site.
Captured credentials or tokens enable the attacker to impersonate the victim and perform actions on the site with the victim's privilege level.
Malicious scripts can modify page content visible to the victim, facilitating phishing, fake login forms, or redirection to attacker-controlled infrastructure.
Depending on the victim's role, exploitation may expose stored personal data or classified listing content rendered on the page at the time of attack.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored across every ingest cycle, and detection against images bundling Classified Listing plugin at or below version 5.3.8 is operational. Because no upstream fix exists at this time, patched-image rebuild is not yet available, but HarborGuard will generate the rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment an upstream fix is published (median time from CVE publication to merged patch PR for high-severity issues with auto-remediation enabled is around 90 minutes after upstream release). Until a patch ships, compensating controls worth considering include deploying a web application firewall rule to sanitize or block the relevant input vectors, isolating the WordPress deployment behind network policy to limit the population of potential attackers, and disabling the vulnerable plugin functionality via feature flag or configuration if the plugin supports it. Customers can subscribe to advisory update notifications in HarborGuard to receive an alert the moment a fix version is confirmed.

See how HarborGuard automates this

Affected packages

Mamunur Rashid / Classified Listing
≤ 5.3.8

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified