CVE-2025-12981
Received Received - Intake
Privilege Escalation in Listee WordPress Theme via User Role Manipulation

Publication date: 2026-02-27

Last updated on: 2026-02-27

Assigner: Wordfence

Description
The Listee theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.1.6. This is due to a broken validation check in the bundled listee-core plugin's user registration function that fails to properly sanitize the user_role parameter. This makes it possible for unauthenticated attackers to register as Administrator by manipulating the user_role parameter during registration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-02-27
Generated
2026-05-07
AI Q&A
2026-02-27
EPSS Evaluated
2026-05-05
NVD
CVE-2025-12981
EUVD
EUVD-2025-208125
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
listee theme to 1.1.6 (inc)
listee-core plugin to 1.1.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Listee theme for WordPress contains a vulnerability in all versions up to and including 1.1.6. This vulnerability arises from a broken validation check in the bundled listee-core plugin's user registration function. Specifically, the function fails to properly sanitize the user_role parameter, which allows unauthenticated attackers to manipulate this parameter during registration.

As a result, attackers can register themselves as Administrators without any authentication, effectively escalating their privileges on the affected WordPress site.


How can this vulnerability impact me? :

This vulnerability can have severe impacts because it allows unauthenticated attackers to gain Administrator access to a WordPress site using the Listee theme (up to version 1.1.6).

  • Attackers can fully control the website, including modifying content, installing malicious plugins or themes, and accessing sensitive data.
  • It can lead to data breaches, defacement, or the site being used as a platform for further attacks.
  • The high CVSS score of 9.8 indicates a critical severity with high impact on confidentiality, integrity, and availability.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart