CVE-2026-25461
Reflected XSS in Listeo Core β€ 2.0.21 Enables Code Injection
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| purethemes | listeo_core | to 2.0.21 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-25461 vulnerability is a reflected Cross Site Scripting (XSS) issue that allows attackers to inject malicious scripts into websites using the vulnerable Listeo Core plugin. Such vulnerabilities can lead to unauthorized access, data manipulation, or exposure of sensitive information.
Because of these risks, exploitation of this vulnerability could potentially lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and attacks.
Organizations using the affected plugin should apply mitigations or patches promptly to reduce the risk of data breaches and maintain compliance with these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a reflected Cross Site Scripting (XSS) issue in the WordPress Listeo Core Plugin up to version 2.0.21. Detection typically involves monitoring for suspicious HTTP requests or responses that include injected scripts or unusual payloads targeting the vulnerable plugin.
Since no specific detection commands or tools are provided in the available information, general approaches include using web application scanners or proxy tools (such as Burp Suite or OWASP ZAP) to test for reflected XSS by sending crafted requests to the web application and observing if injected scripts are reflected in responses.
Network-level detection might involve inspecting HTTP traffic for suspicious query parameters or payloads that could trigger the XSS vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the mitigation rule issued by Patchstack to block attacks targeting this vulnerability until an official patch is released.
Since no official patch is currently available, it is advised to monitor for updates and apply the official patch once it becomes available.
Additionally, restricting user input and avoiding clicking on suspicious links or visiting untrusted pages can reduce the risk of exploitation.
Can you explain this vulnerability to me?
This vulnerability is a type of Cross-site Scripting (XSS) known as Reflected XSS. It occurs in the Listeo Core software (version 2.0.21 and earlier) developed by purethemes. The issue arises because the software does not properly neutralize input during web page generation, allowing malicious scripts to be injected and executed in the context of a user's browser.
How can this vulnerability impact me? :
Reflected XSS vulnerabilities can allow attackers to execute malicious scripts in the browsers of users who visit affected web pages. This can lead to theft of sensitive information such as cookies, session tokens, or other private data, as well as potential redirection to malicious sites or unauthorized actions performed on behalf of the user.