Reflected & Persistent XSS was discovered in the «ListingPro - WordPress Directory Theme». Current version is 184.108.40.206 (August 9th 2019). Edit (WPScanTeam): November 29th, 2019 - Envato Informed November 29th, 2019 - Envato Investigating December 4th, 2019 - v220.127.116.11 Released, fixing the reflected XSS but not the stored one. Envato notified again. December 5th, 2019 - v18.104.22.168 released, stored XSS still present. December 5th, 2019 - Envato Confirmed Stored XSS still present. December 12th, 2019 - v22.214.171.124 released, fixing the stored XSS.