CVE-2025-14938
Received Received - Intake
Unauthenticated Arbitrary Media Upload in Listeo Core Plugin

Publication date: 2026-04-04

Last updated on: 2026-04-04

Assigner: Wordfence

Description
The Listeo Core plugin for WordPress is vulnerable to unauthenticated arbitrary media upload in all versions up to, and including, 2.0.27 via the "listeo_core_handle_dropped_media" function. This is due to missing authorization and capability checks on the AJAX endpoint handling file uploads. This makes it possible for unauthenticated attackers to upload arbitrary media to the site's media library, without achieving direct code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-04
Last Modified
2026-04-04
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14938
EUVD
EUVD-2025-209219
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
purethemes listeo_core to 2.0.27 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Listeo Core plugin for WordPress has a vulnerability in all versions up to and including 2.0.27 that allows unauthenticated attackers to upload arbitrary media files to the site's media library.

This occurs because the AJAX endpoint responsible for handling file uploads, specifically the "listeo_core_handle_dropped_media" function, lacks proper authorization and capability checks.

Although attackers can upload arbitrary media, this vulnerability does not allow them to directly execute code on the site.

Impact Analysis

This vulnerability allows unauthenticated attackers to upload arbitrary media files to your WordPress site's media library.

While it does not provide direct code execution, the presence of unauthorized media files could lead to indirect impacts such as storage abuse, potential phishing or social engineering through malicious media, or further exploitation if combined with other vulnerabilities.

The CVSS score of 5.3 indicates a medium severity impact, primarily affecting the integrity of the site by allowing unauthorized content insertion.

Mitigation Strategies

To mitigate this vulnerability, update the Listeo Core plugin to a version later than 2.0.27, as all versions up to and including 2.0.27 are vulnerable.

After updating, clear your website's cache and hosting cache to ensure the update is fully applied.

Also, make sure to update related plugins such as Listeo Editor and Listeo Elementor to their latest versions.

Compliance Impact

The vulnerability allows unauthenticated attackers to upload arbitrary media files to the WordPress site's media library due to missing authorization checks.

While this does not lead to direct code execution, the ability to upload arbitrary media could potentially expose the site to risks related to data integrity and unauthorized content hosting.

However, there is no direct information provided about how this vulnerability impacts compliance with standards such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14938. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart