{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8413", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-31T09:59:28.651Z", "datePublished": "2025-10-25T05:31:18.515Z", "dateUpdated": "2026-04-08T16:37:20.684Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:20.684Z"}, "affected": [{"vendor": "purethemes", "product": "Listeo - Directory & Listings With Booking - WordPress Theme", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Listeo theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `soundcloud` shortcode in version less than, or equal to, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Listeo <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via soundcloud Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17301be2-f2bc-4b59-b0ab-65591ffcfa3e?source=cve"}, {"url": "https://themeforest.net/item/listeo-directory-listings-wordpress-theme/23239259"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Webb"}], "timeline": [{"time": "2025-07-21T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-24T17:11:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:46:41.883485Z", "id": "CVE-2025-8413", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:46:49.140Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8413", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-27T15:46:41.883485Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:46:45.923Z"}}], "cna": {"title": "Listeo <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via soundcloud Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Craig Webb"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "purethemes", "product": "Listeo - Directory & Listings With Booking - WordPress Theme", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-21T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-10-24T17:11:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17301be2-f2bc-4b59-b0ab-65591ffcfa3e?source=cve"}, {"url": "https://themeforest.net/item/listeo-directory-listings-wordpress-theme/23239259"}], "descriptions": [{"lang": "en", "value": "The Listeo theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `soundcloud` shortcode in version less than, or equal to, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:20.684Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8413", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:20.684Z", "dateReserved": "2025-07-31T09:59:28.651Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-25T05:31:18.515Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Listeo theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `soundcloud` shortcode in version less than, or equal to, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-8413", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-25T06:15:36.770", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/listeo-directory-listings-wordpress-theme/23239259"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17301be2-f2bc-4b59-b0ab-65591ffcfa3e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:02:34.503852+00:00", "value": {"mitigation_remediation": ["Update the Listeo theme to a version newer than 2.0.8.", "If an update is not immediately possible, disable or restrict the soundcloud shortcode so that only trusted roles can use it.", "Examine content created by contributor accounts for any unexpected scripts or markup and remove any that remain."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Products affected are purethemes\u2019 Listeo Directory & Listings With Booking WordPress theme, specifically any installation using version 2.0.8 or earlier. The issue is confined to the theme\u2019s built\u2011in shortcode and does not involve other plugins or core WordPress components.", "description_and_impact": "The Listeo WordPress theme contains a stored cross\u2011site scripting flaw in the soundcloud shortcode. The shortcode does not sanitize or escape user\u2011supplied attributes, allowing an authenticated contributor to inject arbitrary JavaScript into a page. When a visitor loads the page, the malicious script executes in the context of the site, enabling credential theft, defacement, or malicious redirects. The weakness is a classic XSS scenario that compromises user integrity and confidentiality.", "risk_and_exploitability": "The CVSS score of 6.4 categorizes the flaw as medium severity, while the EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability is not listed in CISA KEV. Attackers require only contributor\u2011level access or higher, a common role granted to content authors, making the attack path straightforward. Once the payload is stored, all users who view the affected page will be exposed to the injected script."}}}}, "created": "2025-10-27T22:10:24.040201+00:00", "updated": "2026-04-22T14:15:20.396372+00:00", "vendors": ["purethemes", "purethemes$PRODUCT$listeo", "wordpress", "wordpress$PRODUCT$wordpress"]}