{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67932", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T09:59:55.700Z", "datePublished": "2026-01-08T09:17:49.010Z", "dateUpdated": "2026-04-28T16:14:23.618Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "listeo-core", "product": "Listeo Core", "vendor": "purethemes", "versions": [{"changes": [{"at": "2.0.19", "status": "unaffected"}], "lessThanOrEqual": "2.0.19", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:32.813Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.<p>This issue affects Listeo Core: from n/a through < 2.0.19.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.This issue affects Listeo Core: from n/a through < 2.0.19."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:23.618Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/listeo-core/vulnerability/wordpress-listeo-core-plugin-2-0-19-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Listeo Core plugin < 2.0.19 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T14:53:57.191377Z", "id": "CVE-2025-67932", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:05:42.740Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67932", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T14:53:57.191377Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T14:54:00.255Z"}}], "cna": {"title": "WordPress Listeo Core plugin < 2.0.19 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "purethemes", "product": "Listeo Core", "versions": [{"status": "affected", "changes": [{"at": "2.0.19", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0.19"}], "packageName": "listeo-core", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:32.813Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/listeo-core/vulnerability/wordpress-listeo-core-plugin-2-0-19-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.This issue affects Listeo Core: from n/a through < 2.0.19.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.<p>This issue affects Listeo Core: from n/a through < 2.0.19.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:54.626Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67932", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:05:42.740Z", "dateReserved": "2025-12-15T09:59:55.700Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-08T09:17:49.010Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.This issue affects Listeo Core: from n/a through < 2.0.19."}], "id": "CVE-2025-67932", "lastModified": "2026-04-27T18:16:50.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-08T10:15:52.263", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/listeo-core/vulnerability/wordpress-listeo-core-plugin-2-0-19-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:02:30.406565+00:00", "value": {"mitigation_remediation": ["Upgrade Listeo Core to version 2.0.19 or later.", "If upgrade is not possible, mitigate by enforcing a strong Content\u2011Security\u2011Policy that disallows execution of inline scripts in pages generated by the plugin.", "Disable or remove the Listeo Core plugin from sites that do not require it."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Purethemes Listeo Core is a WordPress plugin that provides directory and listing functionality. Versions from the initial release up to, but not including, 2.0.19 are affected. The plugin may be installed on any WordPress site that has not applied the update.", "description_and_impact": "Improper neutralization of user input in the Listeo Core plugin allows reflected Cross\u2011Site Scripting (CWE\u201179). The plugin echoes data from query parameters or form fields directly into the browser without encoding, enabling malicious scripts to execute when a victim visits a crafted page. The likely attack vector is a specially constructed URL or form input that reaches the plugin\u2019s output surface, which an attacker can influence through social engineering or by directing a user to a malicious link.", "risk_and_exploitability": "The CVSS base score of 7.1 indicates a moderate\u2011to\u2011high risk level, while the EPSS score of less than 1% suggests that, as of this analysis, exploitation attempts are unlikely to be observed in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog, which supports the assessment that no widespread exploitation campaigns have been documented. Based on the description, the attacker must be able to supply a crafted request that reaches the plugin\u2019s output surface; once the payload is reflected in the browser, it executes with the privileges of the visiting user."}}}}, "created": "2026-01-09T13:25:24.113269+00:00", "updated": "2026-04-28T10:15:28.844379+00:00", "vendors": ["purethemes", "purethemes$PRODUCT$listeo", "wordpress", "wordpress$PRODUCT$wordpress"]}