CVE-2025-67932 is a reflected Cross-site Scripting (XSS) vulnerability identified in the Listeo Core product developed by purethemes, affecting all versions prior to 2.0.19. The vulnerability stems from improper neutralization of input during web page generation, which allows attackers to inject malicious scripts into web pages that are then reflected back to users. This reflected XSS can be exploited remotely over the network without requiring any privileges on the target system, but it does require user interaction, such as clicking on a maliciously crafted URL. The vulnerability impacts the confidentiality and integrity of user data by enabling attackers to execute arbitrary scripts in the context of the victim’s browser session. Potential consequences include theft of session cookies, user credentials, or other sensitive information, as well as manipulation of the web page content to perform phishing or social engineering attacks. The vulnerability does not affect system availability. The CVSS 3.1 base score is 6.1, indicating a medium severity level, with an attack vector of network, low attack complexity, no privileges required, user interaction required, and scope changed due to impact on user data beyond the vulnerable component. No known public exploits have been reported yet, but the vulnerability is publicly disclosed and patched in version 2.0.19 of Listeo Core. The lack of patch links in the provided data suggests organizations should consult the vendor’s official channels for updates. The vulnerability is particularly relevant for organizations running Listeo Core as part of their web infrastructure, especially those providing online marketplaces or service directories, which are common use cases for this product.

For European organizations, the impact of CVE-2025-67932 can be significant in contexts where Listeo Core is used to power customer-facing web portals, marketplaces, or service listings. Successful exploitation could lead to session hijacking, unauthorized access to user accounts, and data leakage, undermining user trust and potentially violating GDPR requirements regarding personal data protection. The reflected XSS can also facilitate phishing attacks by injecting deceptive content, increasing the risk of credential theft or fraud. While the vulnerability does not directly impact system availability, the reputational damage and potential regulatory penalties from data breaches could be substantial. Organizations in sectors such as e-commerce, tourism, and local services that rely on Listeo Core for their digital presence are particularly vulnerable. Additionally, the medium severity score suggests that while the risk is not critical, it is sufficiently serious to warrant immediate remediation to prevent exploitation, especially given the ease of attack execution over the network without authentication.

1. Upgrade Listeo Core to version 2.0.19 or later immediately to apply the official patch addressing this vulnerability. 2. Implement strict input validation on all user-supplied data, ensuring that special characters are properly sanitized or encoded before being reflected in web pages. 3. Employ context-aware output encoding (e.g., HTML entity encoding) to neutralize potentially malicious input in the rendered HTML. 4. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of any injected code. 5. Conduct regular security audits and penetration testing focused on web application vulnerabilities, including XSS. 6. Educate users and administrators about the risks of clicking on suspicious links and encourage the use of security-aware browsing practices. 7. Monitor web server logs and intrusion detection systems for unusual request patterns indicative of attempted XSS exploitation. 8. If immediate patching is not feasible, consider implementing Web Application Firewall (WAF) rules to detect and block reflected XSS attack vectors targeting Listeo Core endpoints.