CVE-2026-25461
WordPress Listeo Core plugin <= 2.0.21 - Reflected Cross Site Scripting (XSS) vulnerabilityImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.This issue affects Listeo Core: from n/a through <= 2.0.21.
We have discovered 511 live websites that are affected by CVE-2026-25461.
Affected Software
| Product |  Listeo Core |
| Category | Wordpress Plugins |
| Vulnerable Domains | 511 live websites (89% of Listeo Core install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 26 versions ( 96% of all versions) |
Details
- Published - Mar 25, 2026
- Updated - Mar 25, 2026
Credits
- Rafie Muhammad | Patchstack Bug Bounty Program (finder)
CVE References
Website Distribution by Country
Number of websites using CVE-2026-25461 United States | 148 websites |
 Italy | 57 websites |
 France | 37 websites |
 Germany | 31 websites |
 GB | 28 websites |
 Spain | 20 websites |
 Cyprus | 19 websites |
 Brazil | 18 websites |
 Russia | 11 websites |
 Turkey | 10 websites |
Website Distribution by TLD
Number of websites using CVE-2026-25461| .com | 211 websites |
| .it | 45 websites |
| .fr | 19 websites |
| .co.uk | 19 websites |
| .org | 18 websites |
| .net | 18 websites |
| .com.br | 15 websites |
| .de | 13 websites |
| .nl | 8 websites |
| .ru | 7 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-25461
Top websites that are affected by CVE-2026-25461. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.net | Italy | ***,*** | |
| *****************.com | United States | ***,*** | |
| ***********.***.uk | United States | ***,*** | |
| ******.pro | United States | ***,*** | |
| *******.at | United States | ***,*** | |
| ****************.com | Brazil | ***,*** | |
| ******************.com | GB | ***,*** | |
| *******************.com | United States | ***,*** | |
| *******.travel | United States | ***,*** | |
| ***************.com | United States | *,***,*** |
FAQ
A total of 511 websites have been identified as vulnerable to CVE-2026-25461, based on global website indexing conducted by WebTechSurvey.
The Listeo Core is affected by the CVE-2026-25461 vulnerability.
Listeo Core versions up to and including 2.0.21 are vulnerable to CVE-2026-25461.