PT-2026-30342 · Purethemes · Listeo-Core - Directory Plugin By Purethemes
Paolo Tresso
·
Published
2026-04-04
·
Updated
2026-04-04
·
CVE-2025-14938
CVSS v3.1
5.3
Medium
| AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
The Listeo Core plugin for WordPress is vulnerable to unauthenticated arbitrary media upload in all versions up to, and including, 2.0.27 via the "listeo core handle dropped media" function. This is due to missing authorization and capability checks on the AJAX endpoint handling file uploads. This makes it possible for unauthenticated attackers to upload arbitrary media to the site's media library, without achieving direct code execution.
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Listeo-Core - Directory Plugin By Purethemes