CVE-2025-14938: CWE-434 Unrestricted Upload of File with Dangerous Type in purethemes Listeo-Core - Directory Plugin by Purethemes
The Listeo Core plugin for WordPress is vulnerable to unauthenticated arbitrary media upload in all versions up to, and including, 2.0.27 via the "listeo_core_handle_dropped_media" function. This is due to missing authorization and capability checks on the AJAX endpoint handling file uploads. This makes it possible for unauthenticated attackers to upload arbitrary media to the site's media library, without achieving direct code execution.
AI Analysis
Technical Summary
CVE-2025-14938 is a vulnerability in the Listeo Core WordPress plugin by Purethemes that permits unauthenticated arbitrary media uploads through the 'listeo_core_handle_dropped_media' AJAX function. The root cause is missing authorization and capability checks on the file upload endpoint, enabling attackers to add files to the media library without authentication. While this does not directly allow code execution, it poses a risk by potentially enabling further attacks through malicious file uploads. The vulnerability affects all versions up to 2.0.27. No patch or official remediation level has been disclosed, and no known exploits have been reported.
Potential Impact
The vulnerability allows unauthenticated attackers to upload arbitrary media files to the WordPress site's media library. This could lead to indirect impacts such as hosting malicious files or facilitating further attacks, but direct code execution is not possible according to the available data. The medium severity rating reflects the limited but notable risk posed by unauthorized file uploads.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider restricting access to the affected AJAX endpoint or disabling the Listeo Core plugin if feasible. Monitoring for unauthorized file uploads may help detect exploitation attempts. Follow updates from Purethemes for any forthcoming patches or official mitigation instructions.
CVE-2025-14938: CWE-434 Unrestricted Upload of File with Dangerous Type in purethemes Listeo-Core - Directory Plugin by Purethemes
Description
The Listeo Core plugin for WordPress is vulnerable to unauthenticated arbitrary media upload in all versions up to, and including, 2.0.27 via the "listeo_core_handle_dropped_media" function. This is due to missing authorization and capability checks on the AJAX endpoint handling file uploads. This makes it possible for unauthenticated attackers to upload arbitrary media to the site's media library, without achieving direct code execution.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-14938 is a vulnerability in the Listeo Core WordPress plugin by Purethemes that permits unauthenticated arbitrary media uploads through the 'listeo_core_handle_dropped_media' AJAX function. The root cause is missing authorization and capability checks on the file upload endpoint, enabling attackers to add files to the media library without authentication. While this does not directly allow code execution, it poses a risk by potentially enabling further attacks through malicious file uploads. The vulnerability affects all versions up to 2.0.27. No patch or official remediation level has been disclosed, and no known exploits have been reported.
Potential Impact
The vulnerability allows unauthenticated attackers to upload arbitrary media files to the WordPress site's media library. This could lead to indirect impacts such as hosting malicious files or facilitating further attacks, but direct code execution is not possible according to the available data. The medium severity rating reflects the limited but notable risk posed by unauthorized file uploads.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider restricting access to the affected AJAX endpoint or disabling the Listeo Core plugin if feasible. Monitoring for unauthorized file uploads may help detect exploitation attempts. Follow updates from Purethemes for any forthcoming patches or official mitigation instructions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-18T21:26:49.488Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d0f6560a160ebd92e6d952
Added to database: 4/4/2026, 11:30:30 AM
Last enriched: 4/11/2026, 1:52:10 PM
Last updated: 5/19/2026, 11:44:41 PM
Views: 64
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.