Threat Entry Updated 2025-10-27

CVE-2025-8413 - Listeo Theme

The Listeo theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `soundcloud` shortcode in version less than, or equal to, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Listeo

CVE-2025-8413

MEDIUM CVSS 6.4 2025-10-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24318 - Listeo Theme

The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector.

THEME Listeo

CVE-2021-24318

MEDIUM CVSS 6.5 2021-06-01

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24317 - Listeo Theme

The Listeo WordPress theme before 1.6.11 did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues

THEME Listeo

CVE-2021-24317

MEDIUM CVSS 6.1 2021-06-01

Risk Score

Open Full Technical Breakdown