Primary

Context

Listeo Core WordPress Plugin Unauthenticated Arbitrary Media Upload Vulnerability

Vulnerability

Patched

A vulnerability exists in the Listeo Core plugin for WordPress, allowing unauthenticated users to upload arbitrary media to the site's media library. This issue affects all versions of the plugin up to and including 2.0.27. The vulnerability arises from the 'listeo_core_handle_dropped_media' function, which lacks proper authorization and capability checks on the AJAX endpoint responsible for file uploads. As a result, unauthorized attackers can exploit this flaw to upload files without executing code directly.

Impact

Exploitation of this vulnerability could lead to unauthorized media uploads, potentially allowing for the later execution of malicious code if the uploaded files are of a type that can be executed.

Remediation

Users are advised to update the Listeo Core plugin to version 2.0.28 or a newer patched version.

Added: Apr 4, 2026, 12:19 PM

Updated: Apr 4, 2026, 12:19 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

7.6

remediation

7.7

relevance

5.4

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

7.6

remediation

7.7

relevance

5.4

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Listeo Core WordPress Plugin Unauthenticated Arbitrary Media Upload Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Purethemes Listeo Core

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating