{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14938", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-18T21:26:49.488Z", "datePublished": "2026-04-04T11:16:15.816Z", "dateUpdated": "2026-04-08T16:51:37.411Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:37.411Z"}, "affected": [{"vendor": "purethemes", "product": "Listeo-Core - Directory Plugin by Purethemes", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.27", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Listeo Core plugin for WordPress is vulnerable to unauthenticated arbitrary media upload in all versions up to, and including, 2.0.27 via the \"listeo_core_handle_dropped_media\" function. This is due to missing authorization and capability checks on the AJAX endpoint handling file uploads. This makes it possible for unauthenticated attackers to upload arbitrary media to the site's media library, without achieving direct code execution."}], "title": "Listeo-Core - Directory Plugin by Purethemes <= 2.0.27 - Unauthenticated Arbitrary Media Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4decf597-1819-402f-ab28-2446a3e6215f?source=cve"}, {"url": "https://docs.purethemes.net/listeo/knowledge-base/changelog-listeo/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Paolo Tresso"}], "timeline": [{"time": "2025-10-16T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-04-03T22:09:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:29:38.657866Z", "id": "CVE-2025-14938", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:41:24.091Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14938", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:29:38.657866Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:30:23.571Z"}}], "cna": {"title": "Listeo-Core - Directory Plugin by Purethemes <= 2.0.27 - Unauthenticated Arbitrary Media Upload", "credits": [{"lang": "en", "type": "finder", "value": "Paolo Tresso"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "purethemes", "product": "Listeo-Core - Directory Plugin by Purethemes", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.27"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-16T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-04-03T22:09:52.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4decf597-1819-402f-ab28-2446a3e6215f?source=cve"}, {"url": "https://docs.purethemes.net/listeo/knowledge-base/changelog-listeo/"}], "descriptions": [{"lang": "en", "value": "The Listeo Core plugin for WordPress is vulnerable to unauthenticated arbitrary media upload in all versions up to, and including, 2.0.27 via the \"listeo_core_handle_dropped_media\" function. This is due to missing authorization and capability checks on the AJAX endpoint handling file uploads. This makes it possible for unauthenticated attackers to upload arbitrary media to the site's media library, without achieving direct code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-04T11:16:15.816Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14938", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:41:24.091Z", "dateReserved": "2025-12-18T21:26:49.488Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-04T11:16:15.816Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Listeo Core plugin for WordPress is vulnerable to unauthenticated arbitrary media upload in all versions up to, and including, 2.0.27 via the \"listeo_core_handle_dropped_media\" function. This is due to missing authorization and capability checks on the AJAX endpoint handling file uploads. This makes it possible for unauthenticated attackers to upload arbitrary media to the site's media library, without achieving direct code execution."}], "id": "CVE-2025-14938", "lastModified": "2026-04-24T18:13:28.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-04T12:16:01.450", "references": [{"source": "security@wordfence.com", "url": "https://docs.purethemes.net/listeo/knowledge-base/changelog-listeo/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4decf597-1819-402f-ab28-2446a3e6215f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.27]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Listeo-Core - Directory Plugin by Purethemes", "source": "cna", "vendor": "purethemes"}, "product": "listeo-core_-_directory_plugin_by_purethemes", "vendor": "purethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-04T13:21:55.196679+00:00", "value": {"mitigation_remediation": ["Upgrade Listeo-Core Directory Plugin to version 2.0.28 or later.", "If an immediate upgrade is not feasible, restrict media uploads so that only authenticated administrators can upload files, or block the unprotected AJAX endpoint.", "Regularly audit the media library for unexpected or malicious files and monitor for abnormal upload activity."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated arbitrary media upload to WordPress media library"}, "threat_synthesis": {"affected_systems": "This issue affects the Purethemes Listeo-Core Directory Plugin for WordPress, versions 2.0.27 and all earlier releases. Users running these versions are vulnerable until the plugin is updated beyond 2.0.27.", "description_and_impact": "The Listeo-Core plugin has a missing authorization check on an AJAX endpoint that handles media uploads. An attacker who can reach the site can submit arbitrary files to the media library without needing any credentials, allowing the insertion of malicious media. While this vulnerability does not provide direct code execution, it compromises the integrity of the media library and can serve as a foothold for further attacks or content defacement. The weakness is a lack of proper authentication and capability verification (CWE-434).", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity risk. The EPSS score is unavailable, and the vulnerability is not listed in CISA's KEV catalog, but the lack of authentication on the upload endpoint suggests it could be exploited from any user with network access to the site. Since the attack requires no privileges, the risk of widespread compromise is moderate, though the potential for integrity damage and phishing remains significant. No direct code execution is possible, but the uploaded files could be used as a vector for other attacks if exploited further by attackers."}}}}, "created": "2026-04-06T20:27:29.777298+00:00", "updated": "2026-04-06T22:20:48.575832+00:00", "vendors": ["purethemes", "purethemes$PRODUCT$listeo-core_-_directory_plugin_by_purethemes", "wordpress", "wordpress$PRODUCT$wordpress"]}