Cyber Resilience

CVE-2025-12981

Critical

Published: 27 February 2026

Published
27 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0057 42.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-12981 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Dreamstechnologies (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 42.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-12981 is a privilege escalation vulnerability affecting the Listee theme for WordPress in all versions up to and including 1.1.6. The flaw originates in the bundled listee-core plugin's user registration function, where a broken validation check fails to properly sanitize the user_role parameter, enabling manipulation during the registration process.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By altering the user_role parameter to Administrator during registration, they can create an account with full administrative privileges, granting high-impact access to confidentiality, integrity, and availability of the affected WordPress site (CWE-269: Improper Privilege Management).

Advisories and patch information are detailed in references including the theme's changelog at https://listee-wp.dreamstechnologies.com/documentation/changelog.html, the ThemeForest product page at https://themeforest.net/item/listee-classified-ads-wordpress-theme/44526956, the vulnerable code at https://themes.trac.wordpress.org/browser/listee/1.1.5/listee-core/includes/listee-core-users.php#L928, and Wordfence's threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/d534feae-d1b7-4544-b1c5-c23f37dd5bab?source=cve.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Listee theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.1.6. This is due to a broken validation check in the bundled listee-core plugin's user registration function that fails to properly sanitize the…

more

user_role parameter. This makes it possible for unauthenticated attackers to register as Administrator by manipulating the user_role parameter during registration.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136.003 Cloud Account Persistence
Adversaries may create a cloud account to maintain access to victim systems.
Why these techniques?

Direct remote unauthenticated exploitation of public-facing WordPress app for privilege escalation via improper input validation, enabling creation of high-privilege admin accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-12281Shared CWE-269
CVE-2025-15403Shared CWE-269
CVE-2025-13538Shared CWE-269
CVE-2024-57602Shared CWE-269
CVE-2026-2631Shared CWE-269
CVE-2025-13542Shared CWE-269
CVE-2025-13563Shared CWE-269
CVE-2025-15027Shared CWE-269
CVE-2025-22937Shared CWE-269
CVE-2025-0180Shared CWE-269

Affected Assets

Dreamstechnologies
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the failure to sanitize and validate the user_role parameter during user registration, preventing manipulation for privilege escalation.

prevent

Requires management of account creation processes to assign only authorized privileges, blocking unauthorized administrator accounts from registration.

prevent

Mandates timely remediation of the identified flaw in the listee-core plugin's user registration function via patching.

References