External risk intelligence

ListingPro SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-39438

An unauthenticated SQL injection vulnerability exists in the ListingPro plugin, potentially allowing attackers to access or modify sensitive data. This external threat requires immediate assessment to understand its presence and criticality within your environment.

SQL Injection

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

This vulnerability affects a WordPress plugin, which is a type of web application component commonly deployed as a public-facing website or service accessible over the internet.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in ListingPro, a widely used WordPress plugin, that could allow unauthenticated attackers to inject malicious SQL code. This type of attack exploits weaknesses in how the plugin handles database queries, potentially leading to unauthorized access to or manipulation of sensitive data stored within the associated WordPress installation. The severity suggests a significant risk if exploited, necessitating a focused review of its presence within the organization's digital footprint.

  • SQL injection flaw in ListingPro plugin.
  • Potential for unauthorized data access.
  • Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending specially crafted input to the affected component. This allows them to inject malicious SQL code, potentially leading to unauthorized data access or modification within the system.

  • No authentication required to trigger.
  • SQL injection via crafted input.
  • Unauthorized data access or modification.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated SQL injection vulnerability exists in ListingPro. When supported, this could allow an attacker to manipulate database queries, potentially exposing or corrupting sensitive information stored within the application's database. The impact depends on the specific data managed by ListingPro and how it's structured.

  • Database integrity and confidentiality.
  • Exploiting unauthenticated API endpoints.
  • Data exposure or modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

This unauthenticated SQL injection vulnerability affects the ListingPro plugin, potentially impacting public-facing websites. Initial response should focus on identifying all deployments of the affected plugin, assessing their exposure and business criticality, and confirming ownership with the application or platform teams. Remediation planning should then prioritize critical and exposed instances.

  • Application owners should investigate.
  • Verify plugin presence and exposure.
  • Plan targeted remediation.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-39438 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This unauthenticated SQL injection vulnerability is PCI relevant because it can lead to critical system compromise and likely result in a scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the ListingPro plugin?

ListingPro is a software component designed for WordPress sites that manages directory and listing functionality. It is typically used to build service-oriented websites where users can browse, search, and submit listings or business information. Because it operates within the WordPress ecosystem, it interacts directly with the site's database to store and retrieve these directory entries.

What does CVE-2026-39438 mean?

This identifier refers to an SQL Injection vulnerability, classified as CWE-89. In plain terms, this means the software does not properly filter information provided by users before including it in database commands. Because of this weakness, an attacker can supply malicious instructions disguised as normal input, tricking the plugin into running unintended database queries.

How can an attacker trigger this vulnerability?

An attacker exploits this by sending specially crafted input to the plugin's endpoints. Because the vulnerability does not require authentication, the attacker does not need to log in or have a user account to send these requests. The bug is triggered when the application processes this malicious input; it is not triggered by standard, legitimate interactions with the directory features.

Do I need to worry about my ListingPro instance?

If your instance is internet-facing, Halo Surface Signal flags this as a priority concern. Since ListingPro is commonly deployed as part of public-facing web services, it is naturally reachable by remote actors. You should care if your organization uses this plugin, as the vulnerability allows for unauthorized interaction with the underlying database without requiring valid credentials.

How should I respond to this vulnerability?

First, create an inventory of all websites in your environment to confirm if they are running the affected plugin versions. Work with your web development or platform teams to verify which instances are exposed to the internet. Prioritize these public-facing installations for your security planning, and monitor for any updates that address this SQL injection flaw.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished