CVE-2025-14938: CWE-434 Unrestricted Upload of File with Dangerous Type in purethemes Listeo-Core - Directory Plugin by Purethemes
The Listeo Core WordPress plugin by Purethemes contains a vulnerability allowing unauthenticated attackers to upload arbitrary media files via an AJAX endpoint lacking authorization checks. This affects all versions up to and including 2. 0. 27. Although this does not allow direct code execution, it permits unauthorized media uploads which could be leveraged for further attacks. The vulnerability is identified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has a CVSS 3. 1 base score of 5. 3, indicating medium severity.
AI Analysis
Technical Summary
CVE-2025-14938 is an unauthenticated arbitrary media upload vulnerability in the Listeo Core WordPress plugin (up to version 2.0.27). The issue arises from missing authorization and capability checks in the AJAX handler function "listeo_core_handle_dropped_media". This allows attackers to upload arbitrary media files to the site's media library without authentication. While direct code execution is not possible through this vulnerability, the ability to upload files without restriction can lead to indirect impacts. No official patch or remediation guidance is currently documented by the vendor.
Potential Impact
An unauthenticated attacker can upload arbitrary media files to the WordPress media library of sites running the vulnerable Listeo Core plugin. This unauthorized upload capability can lead to potential misuse such as hosting malicious content or facilitating further attacks, although direct code execution is not achievable through this vulnerability alone. The impact is limited to integrity (I:L) with no confidentiality or availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, site administrators should consider restricting access to the AJAX endpoint if possible or disabling the plugin temporarily. Monitoring for unauthorized media uploads and removing suspicious files is recommended. No official patch or temporary fix is currently documented.
CVE-2025-14938: CWE-434 Unrestricted Upload of File with Dangerous Type in purethemes Listeo-Core - Directory Plugin by Purethemes
Description
The Listeo Core WordPress plugin by Purethemes contains a vulnerability allowing unauthenticated attackers to upload arbitrary media files via an AJAX endpoint lacking authorization checks. This affects all versions up to and including 2. 0. 27. Although this does not allow direct code execution, it permits unauthorized media uploads which could be leveraged for further attacks. The vulnerability is identified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has a CVSS 3. 1 base score of 5. 3, indicating medium severity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-14938 is an unauthenticated arbitrary media upload vulnerability in the Listeo Core WordPress plugin (up to version 2.0.27). The issue arises from missing authorization and capability checks in the AJAX handler function "listeo_core_handle_dropped_media". This allows attackers to upload arbitrary media files to the site's media library without authentication. While direct code execution is not possible through this vulnerability, the ability to upload files without restriction can lead to indirect impacts. No official patch or remediation guidance is currently documented by the vendor.
Potential Impact
An unauthenticated attacker can upload arbitrary media files to the WordPress media library of sites running the vulnerable Listeo Core plugin. This unauthorized upload capability can lead to potential misuse such as hosting malicious content or facilitating further attacks, although direct code execution is not achievable through this vulnerability alone. The impact is limited to integrity (I:L) with no confidentiality or availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, site administrators should consider restricting access to the AJAX endpoint if possible or disabling the plugin temporarily. Monitoring for unauthorized media uploads and removing suspicious files is recommended. No official patch or temporary fix is currently documented.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-18T21:26:49.488Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d0f6560a160ebd92e6d952
Added to database: 4/4/2026, 11:30:30 AM
Last enriched: 4/4/2026, 11:45:51 AM
Last updated: 4/5/2026, 1:36:11 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.