CVE-2025-12981
Published: 27 February 2026
Summary
CVE-2025-12981 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Dreamstechnologies (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 42.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-12981 is a privilege escalation vulnerability affecting the Listee theme for WordPress in all versions up to and including 1.1.6. The flaw originates in the bundled listee-core plugin's user registration function, where a broken validation check fails to properly sanitize the user_role parameter, enabling manipulation during the registration process.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By altering the user_role parameter to Administrator during registration, they can create an account with full administrative privileges, granting high-impact access to confidentiality, integrity, and availability of the affected WordPress site (CWE-269: Improper Privilege Management).
Advisories and patch information are detailed in references including the theme's changelog at https://listee-wp.dreamstechnologies.com/documentation/changelog.html, the ThemeForest product page at https://themeforest.net/item/listee-classified-ads-wordpress-theme/44526956, the vulnerable code at https://themes.trac.wordpress.org/browser/listee/1.1.5/listee-core/includes/listee-core-users.php#L928, and Wordfence's threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/d534feae-d1b7-4544-b1c5-c23f37dd5bab?source=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208125
Vulnerability details
The Listee theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.1.6. This is due to a broken validation check in the bundled listee-core plugin's user registration function that fails to properly sanitize the…
more
user_role parameter. This makes it possible for unauthenticated attackers to register as Administrator by manipulating the user_role parameter during registration.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated exploitation of public-facing WordPress app for privilege escalation via improper input validation, enabling creation of high-privilege admin accounts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the failure to sanitize and validate the user_role parameter during user registration, preventing manipulation for privilege escalation.
Requires management of account creation processes to assign only authorized privileges, blocking unauthorized administrator accounts from registration.
Mandates timely remediation of the identified flaw in the listee-core plugin's user registration function via patching.