Attack Vectors

Listee (WordPress theme) is affected by an unauthenticated privilege escalation vulnerability in versions up to and including 1.1.6. Rated Critical (CVSS 9.8), this issue allows an attacker to create an account with Administrator privileges without logging in.

The attack can be executed remotely over the internet with no user interaction required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). In practical terms, an attacker can target the site’s registration flow and manipulate a request parameter to obtain elevated access.

For reference and tracking, this vulnerability is recorded as CVE-2025-12981.

Security Weakness

The root cause is a broken validation check in the bundled listee-core plugin’s user registration function. Specifically, the registration process fails to properly sanitize and validate the user_role parameter, which can be manipulated to assign an elevated role (including Administrator) during account creation.

This is a high-risk class of weakness because it bypasses normal administrative controls and turns a public-facing feature (registration) into a direct path to full site takeover.

Remediation: Update Listee to version 1.1.7 (or a newer patched version). Source: Wordfence vulnerability record.

Technical or Business Impacts

Business risk is immediate and severe. If exploited, an attacker can gain Administrator access and effectively control your WordPress environment. This can lead to brand damage, loss of customer trust, and potential compliance exposure—especially if personal data, lead forms, or e-commerce transactions are involved.

Potential impacts include: defacement of marketing pages, unauthorized redirects (SEO poisoning), insertion of malicious scripts (impacting visitors and ad performance), theft of customer/lead data, creation of hidden admin users for persistence, disabling security plugins, and disruption of site availability. The CVSS ratings indicate high impact to confidentiality, integrity, and availability—meaning data exposure, unauthorized changes, and downtime are all credible outcomes.

What to do after patching: review the list of WordPress users (especially newly created Administrator accounts), check for unexpected changes to themes/plugins, and rotate credentials (WordPress admin accounts and hosting control panel) if you suspect exposure.

Similar attacks (real-world examples): Unauthenticated admin creation and site takeover via vulnerable registration or setup workflows has been exploited at scale before—for example, the ThemeGrill Demo Importer takeover vulnerability documented by Wordfence: ThemeGrill Demo Importer Vulnerability (Wordfence).