Skip to main content

Listeo Core EUVDEUVD-2026-15744

| CVE-2026-25461 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15744
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.This issue affects Listeo Core: from n/a through <= 2.0.21.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the purethemes Listeo Core WordPress plugin through version 2.0.21, allowing attackers to inject malicious scripts into web pages viewed by victims. An attacker can craft a malicious URL containing JavaScript payload that executes in the victim's browser when they visit the link, potentially stealing session cookies, credentials, or performing actions on behalf of the user. No CVSS score, EPSS data, or active KEV status is currently published, but the vulnerability is documented by Patchstack with a direct reference to the affected plugin version.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic web application security flaw where user-supplied input is reflected directly into HTML output without proper encoding or sanitization. The Listeo Core plugin (identified via CPE cpe:2.3:a:purethemes:listeo_core:*:*:*:*:*:*:*:*) is a WordPress plugin that fails to neutralize malicious input parameters during the page generation process. Reflected XSS differs from stored XSS in that the payload is not persisted in a database; instead, it travels via URL parameters or POST data and executes only when that specific crafted link is visited. WordPress plugins are particularly vulnerable to this class of attack when they directly output user input via PHP functions like echo() or _e() without escaping via wp_kses_post() or similar sanitization functions.

RemediationAI

Immediately update the Listeo Core plugin to the latest available version beyond 2.0.21 via the WordPress plugin management interface or directly from the purethemes repository. Verify the update through the plugin settings and test functionality on a staging environment before production deployment. As an interim mitigation for sites that cannot immediately patch, implement a Web Application Firewall (WAF) rule set to detect and block common XSS payloads in URL parameters and POST data, and enforce Content Security Policy (CSP) headers via WordPress security plugins such as Wordfence or Sucuri to restrict script execution. Additionally, educate site administrators and users not to click on suspicious links referencing the Listeo Core plugin functionality, and monitor access logs for unusual query string patterns that may indicate exploitation attempts.

Share

EUVD-2026-15744 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy