Plattform
wordpress
Komponente
listee
Behoben in
1.1.7
CVE-2025-12981 describes a privilege escalation vulnerability discovered in the Listee WordPress theme. This flaw allows unauthenticated attackers to bypass intended access controls and register as an administrator on a WordPress site. The vulnerability impacts versions 1.0.0 through 1.1.6 of the Listee theme, and a patch is available in version 1.1.7.
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-12981 can gain complete administrative control over a WordPress site without requiring any prior authentication. This allows them to modify content, install malicious plugins, steal sensitive data (user credentials, financial information, customer data), and potentially compromise the entire server. The ease of exploitation, requiring only a crafted registration request, significantly increases the risk of widespread attacks targeting sites using the vulnerable Listee theme. This vulnerability shares similarities with other WordPress privilege escalation flaws where improper input validation leads to unauthorized access.
CVE-2025-12981 was published on 2026-02-27. Public proof-of-concept exploits are likely to emerge given the vulnerability's simplicity and high impact. The vulnerability's ease of exploitation and the popularity of WordPress make it a likely target for automated scanning and exploitation campaigns. It is not currently listed on CISA KEV, but its criticality warrants close monitoring.
Websites using the Listee WordPress theme, particularly those running vulnerable versions (1.0.0–1.1.6), are at significant risk. Shared hosting environments where multiple websites share the same server are also at increased risk, as a compromise on one site could potentially lead to lateral movement to others. Sites with weak password policies or disabled user registration are especially vulnerable.
• wordpress / composer / npm:
wp plugin list | grep listee-core• wordpress / composer / npm:
wp plugin update listee-core --version=1.1.7• wordpress / composer / npm:
grep -r 'user_role' /var/www/html/wp-content/plugins/listee-core/• generic web: Check WordPress plugin directory for mentions of the vulnerability and associated indicators.
disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-12981 is to immediately upgrade the Listee WordPress theme to version 1.1.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling user registration on the affected site to prevent further exploitation. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious registration requests containing manipulated user roles can provide an additional layer of defense. Regularly review WordPress user accounts for any unexpected administrator accounts.
Aktualisieren Sie auf Version 1.1.7 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-12981 is a critical vulnerability allowing unauthenticated attackers to register as administrators in the Listee WordPress theme due to flawed user role validation. It impacts versions 1.0.0–1.1.6 and has a CVSS score of 9.8.
If you are using the Listee WordPress theme versions 1.0.0 through 1.1.6, you are vulnerable. Check your theme version and upgrade immediately.
Upgrade the Listee WordPress theme to version 1.1.7 or later. If upgrading is not possible, temporarily disable user registration.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a medium probability of active attacks.
Refer to the official Listee theme documentation or website for the latest advisory and updates regarding CVE-2025-12981.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.