CVE-2025-14938

The Listeo Core plugin for WordPress versions up to and including 2.0.27 is vulnerable to unauthenticated arbitrary media upload. The 'listeo_core_handle_dropped_media' function lacks authorization and capability checks on the AJAX endpoint handling file uploads [1].

An unauthenticated attacker can exploit this by sending crafted requests to the AJAX endpoint, uploading arbitrary media files to the site's media library without any authentication [1]. The vulnerability does not directly allow code execution, but uploaded media can be used for further attacks.

While direct code execution is not achieved, attackers can upload arbitrary media, potentially leading to stored cross-site scripting (XSS) if the media is displayed on the site, or filling the media library with unwanted content [1].

The vulnerability is addressed in version 2.0.36 of the plugin, as per the changelog [1]. Users are strongly advised to update to the latest version to mitigate the risk.