{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25369", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:55.300Z", "datePublished": "2026-03-16T14:13:48.908Z", "dateUpdated": "2026-04-01T16:00:42.088Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "flexmls-idx", "product": "Flexmls\u00ae IDX", "vendor": "flexmls", "versions": [{"changes": [{"at": "3.15.10", "status": "unaffected"}], "lessThanOrEqual": "3.15.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Riski Gana Prasetya | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:05.406Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexmls Flexmls\u00ae IDX flexmls-idx allows Reflected XSS.<p>This issue affects Flexmls\u00ae IDX: from n/a through <= 3.15.9.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexmls Flexmls\u00ae IDX flexmls-idx allows Reflected XSS.This issue affects Flexmls\u00ae IDX: from n/a through <= 3.15.9."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T16:00:42.088Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/flexmls-idx/vulnerability/wordpress-flexmls-idx-plugin-3-15-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Flexmls\u00ae IDX plugin <= 3.15.9 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T15:00:15.208193Z", "id": "CVE-2026-25369", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:00:29.234Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25369", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T15:00:15.208193Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:00:18.095Z"}}], "cna": {"title": "WordPress Flexmls\u00ae IDX plugin <= 3.15.9 - Reflected Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Riski Gana Prasetya | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Flexmls", "product": "Flexmls\u00ae IDX", "versions": [{"status": "affected", "changes": [{"at": "3.15.10", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "3.15.9"}], "packageName": "flexmls-idx", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress Flexmls\u00ae IDX Plugin to the latest available version (at least 3.15.10).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress Flexmls\u00ae IDX Plugin to the latest available version (at least 3.15.10).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/flexmls-idx/vulnerability/wordpress-flexmls-idx-plugin-3-15-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Flexmls Flexmls\u00ae IDX allows Reflected XSS.This issue affects Flexmls\u00ae IDX: from n/a through 3.15.9.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Flexmls Flexmls\u00ae IDX allows Reflected XSS.<p>This issue affects Flexmls\u00ae IDX: from n/a through 3.15.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-16T14:13:48.908Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25369", "state": "PUBLISHED", "dateUpdated": "2026-03-16T15:00:29.234Z", "dateReserved": "2026-02-02T12:52:55.300Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-16T14:13:48.908Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexmls Flexmls\u00ae IDX flexmls-idx allows Reflected XSS.This issue affects Flexmls\u00ae IDX: from n/a through <= 3.15.9."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en Flexmls Flexmls\u00ae IDX permite XSS Reflejado. Este problema afecta a Flexmls\u00ae IDX: desde n/a hasta 3.15.9."}], "id": "CVE-2026-25369", "lastModified": "2026-04-01T17:28:35.487", "metrics": {}, "published": "2026-03-16T15:16:21.530", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/flexmls-idx/vulnerability/wordpress-flexmls-idx-plugin-3-15-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.15.9]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "3.15.10"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Flexmls\u00ae IDX", "source": "cna", "vendor": "Flexmls"}, "product": "flexmls_idx", "vendor": "flexmls"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T12:06:35.190136+00:00", "value": {"mitigation_remediation": ["Update the Flexmls\u00ae IDX plugin to version 3.15.10 or later."], "summary": {"action": "Patch", "impact": "Reflected Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "All installations of the Flexmls\u00ae IDX plugin, regardless of environment, are affected if the plugin version is 3.15.9 or earlier. The version information provided indicates vulnerability from the earliest available version up to and including 3.15.9; no higher versions below 3.15.10 are listed as impacted.", "description_and_impact": "The Flexmls\u00ae IDX plugin for WordPress suffers from an improper neutralization of input during web page generation (CWE\u201179), allowing attackers to inject arbitrary JavaScript that is reflected back to users. This reflected cross\u2011site scripting (XSS) flaw enables execution of malicious code in the context of any visitor who loads a page or submits an input containing the injected payload, potentially leading to cookie theft, session hijacking, or site defacement.", "risk_and_exploitability": "The documented CVSS base score is 7.1, indicating a high severity level. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted URL or form input that is reflected without adequate sanitization, as is typical for reflected XSS; this inference is based on the description and the nature of the flaw."}}}}, "created": "2026-03-17T09:52:53.362925+00:00", "updated": "2026-03-24T10:44:28.217804+00:00", "vendors": ["flexmls", "flexmls$PRODUCT$flexmls_idx", "wordpress", "wordpress$PRODUCT$wordpress"]}