A critical privilege escalation vulnerability in the WordPress Listee theme allows unauthenticated attackers to register new accounts with full Administrator privileges.

The vulnerability stems from a broken validation check in the bundled listee-core plugin's user registration function. An unauthenticated attacker can manipulate the user_role parameter during the registration process to bypass security restrictions.

This flaw carries a CVSS score of 9.8, indicating a near-total compromise of the affected WordPress environment. Successful exploitation grants an attacker full administrative control, allowing for data exfiltration, site defacement, and the installation of malicious scripts or backdoors.

Immediate Action: Update the Listee theme and the bundled listee-core plugin to the latest available version (1.1.7 or higher) to patch the registration validation logic.

Proactive Monitoring: Audit the WordPress user database for any unauthorized Administrator accounts created recently and review registration logs for suspicious user_role parameters.

Compensating Controls: Disable public user registration temporarily if an immediate update is not possible, or use a security plugin to restrict the roles that can be assigned during registration.

Public Exploit Available: No

Immediate action is required to secure affected WordPress installations. Administrators must update the Listee theme and its core plugin without delay to prevent unauthenticated attackers from gaining total control over the website and its underlying data.