Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.This issue affects Listeo Core: from n/a through <= 2.0.21.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the purethemes Listeo Core WordPress plugin through version 2.0.21, allowing attackers to inject malicious scripts into web pages viewed by victims. An attacker can craft a malicious URL containing JavaScript payload that executes in the victim's browser when they visit the link, potentially stealing session cookies, credentials, or performing actions on behalf of the user. No CVSS score, EPSS data, or active KEV status is currently published, but the vulnerability is documented by Patchstack with a direct reference to the affected plugin version.
Technical ContextAI
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic web application security flaw where user-supplied input is reflected directly into HTML output without proper encoding or sanitization. The Listeo Core plugin (identified via CPE cpe:2.3:a:purethemes:listeo_core:*:*:*:*:*:*:*:*) is a WordPress plugin that fails to neutralize malicious input parameters during the page generation process. Reflected XSS differs from stored XSS in that the payload is not persisted in a database; instead, it travels via URL parameters or POST data and executes only when that specific crafted link is visited. WordPress plugins are particularly vulnerable to this class of attack when they directly output user input via PHP functions like echo() or _e() without escaping via wp_kses_post() or similar sanitization functions.
RemediationAI
Immediately update the Listeo Core plugin to the latest available version beyond 2.0.21 via the WordPress plugin management interface or directly from the purethemes repository. Verify the update through the plugin settings and test functionality on a staging environment before production deployment. As an interim mitigation for sites that cannot immediately patch, implement a Web Application Firewall (WAF) rule set to detect and block common XSS payloads in URL parameters and POST data, and enforce Content Security Policy (CSP) headers via WordPress security plugins such as Wordfence or Sucuri to restrict script execution. Additionally, educate site administrators and users not to click on suspicious links referencing the Listeo Core plugin functionality, and monitor access logs for unusual query string patterns that may indicate exploitation attempts.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15744