Improper neutralization of user input in the Listeo Core plugin allows reflected Cross‑Site Scripting (CWE‑79). The plugin echoes data from query parameters or form fields directly into the browser without encoding, enabling malicious scripts to execute when a victim visits a crafted page. The likely attack vector is a specially constructed URL or form input that reaches the plugin’s output surface, which an attacker can influence through social engineering or by directing a user to a malicious link.

Purethemes Listeo Core is a WordPress plugin that provides directory and listing functionality. Versions from the initial release up to, but not including, 2.0.19 are affected. The plugin may be installed on any WordPress site that has not applied the update.

The CVSS base score of 7.1 indicates a moderate‑to‑high risk level, while the EPSS score of less than 1% suggests that, as of this analysis, exploitation attempts are unlikely to be observed in the wild. The vulnerability is not listed in CISA’s KEV catalog, which supports the assessment that no widespread exploitation campaigns have been documented. Based on the description, the attacker must be able to supply a crafted request that reaches the plugin’s output surface; once the payload is reflected in the browser, it executes with the privileges of the visiting user.