Description
The Listeo Core plugin for WordPress is vulnerable to unauthenticated arbitrary media upload in all versions up to, and including, 2.0.27 via the "listeo_core_handle_dropped_media" function. This is due to missing authorization and capability checks on the AJAX endpoint handling file uploads. This makes it possible for unauthenticated attackers to upload arbitrary media to the site's media library, without achieving direct code execution.
Published: 2026-04-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated arbitrary media upload to WordPress media library
Action: Immediate Patch
AI Analysis

Impact

The Listeo-Core plugin has a missing authorization check on an AJAX endpoint that handles media uploads. An attacker who can reach the site can submit arbitrary files to the media library without needing any credentials, allowing the insertion of malicious media. While this vulnerability does not provide direct code execution, it compromises the integrity of the media library and can serve as a foothold for further attacks or content defacement. The weakness is a lack of proper authentication and capability verification (CWE-434).

Affected Systems

This issue affects the Purethemes Listeo-Core Directory Plugin for WordPress, versions 2.0.27 and all earlier releases. Users running these versions are vulnerable until the plugin is updated beyond 2.0.27.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity risk. The EPSS score is unavailable, and the vulnerability is not listed in CISA's KEV catalog, but the lack of authentication on the upload endpoint suggests it could be exploited from any user with network access to the site. Since the attack requires no privileges, the risk of widespread compromise is moderate, though the potential for integrity damage and phishing remains significant. No direct code execution is possible, but the uploaded files could be used as a vector for other attacks if exploited further by attackers.

Generated by OpenCVE AI on April 4, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Listeo-Core Directory Plugin to version 2.0.28 or later.
  • If an immediate upgrade is not feasible, restrict media uploads so that only authenticated administrators can upload files, or block the unprotected AJAX endpoint.
  • Regularly audit the media library for unexpected or malicious files and monitor for abnormal upload activity.

Generated by OpenCVE AI on April 4, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Purethemes
Purethemes listeo-core - Directory Plugin By Purethemes
Wordpress
Wordpress wordpress
Vendors & Products Purethemes
Purethemes listeo-core - Directory Plugin By Purethemes
Wordpress
Wordpress wordpress

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Description The Listeo Core plugin for WordPress is vulnerable to unauthenticated arbitrary media upload in all versions up to, and including, 2.0.27 via the "listeo_core_handle_dropped_media" function. This is due to missing authorization and capability checks on the AJAX endpoint handling file uploads. This makes it possible for unauthenticated attackers to upload arbitrary media to the site's media library, without achieving direct code execution.
Title Listeo-Core - Directory Plugin by Purethemes <= 2.0.27 - Unauthenticated Arbitrary Media Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Purethemes Listeo-core - Directory Plugin By Purethemes
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:37.411Z

Reserved: 2025-12-18T21:26:49.488Z

Link: CVE-2025-14938

cve-icon Vulnrichment

Updated: 2026-04-06T15:30:23.571Z

cve-icon NVD

Status : Deferred

Published: 2026-04-04T12:16:01.450

Modified: 2026-04-24T18:13:28.877

Link: CVE-2025-14938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:20:48Z

Weaknesses