Platform
wordpress
Component
listee
Fixed in
1.1.7
CVE-2025-12981 describes a privilege escalation vulnerability discovered in the Listee WordPress theme. This flaw allows unauthenticated attackers to bypass intended access controls and register as an administrator on a WordPress site. The vulnerability impacts versions 1.0.0 through 1.1.6 of the Listee theme, and a patch is available in version 1.1.7.
The impact of this vulnerability is severe. An attacker can exploit it to gain full administrative access to a WordPress site without needing any prior credentials. This grants them complete control over the site's content, configuration, users, and potentially the underlying server. They could deface the website, steal sensitive data, install malicious software, or use the compromised site as a launchpad for further attacks. The broken validation check in the user registration function is the root cause, enabling attackers to manipulate the user_role parameter and bypass security measures.
This vulnerability was publicly disclosed on 2026-02-27. While no public proof-of-concept (POC) code has been widely reported, the ease of exploitation makes it likely that attackers are actively scanning for vulnerable instances. The vulnerability's severity and ease of exploitation suggest a medium probability of exploitation, particularly on sites with default configurations or limited security monitoring. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Listee WordPress theme to version 1.1.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling user registration on the site to prevent new administrator accounts from being created maliciously. Review existing user accounts for any suspicious entries. WordPress administrators should also implement strong password policies and enable two-factor authentication to further enhance security. After upgrading, verify the fix by attempting to register a new user with an administrator role – the registration should fail.
Update to version 1.1.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12981 is a critical vulnerability allowing unauthenticated attackers to register as administrators in the Listee WordPress theme due to flawed user role validation. It impacts versions 1.0.0–1.1.6 and has a CVSS score of 9.8.
If you are using the Listee WordPress theme versions 1.0.0 through 1.1.6, you are vulnerable. Check your theme version and upgrade immediately.
Upgrade the Listee WordPress theme to version 1.1.7 or later. If upgrading is not possible, temporarily disable user registration.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a medium probability of active attacks.
Refer to the official Listee theme documentation or website for the latest advisory and updates regarding CVE-2025-12981.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.