Authorization Bypass in uListing Plugin for WordPress
CVE-2021-4339

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Directory Listings WordPress Plugin – Ulisting
Vendor: CVE Published:; 7 June 2023

Summary

The uListing plugin for WordPress has a significant vulnerability that allows unauthorized users to bypass authorization checks. This flaw resides in the 'ulisting/includes/route.php' file specifically affecting the /1/api/ulisting-user/search REST-API route in all versions up to and including 1.6.6. As a result, malicious actors can exploit this vulnerability to access sensitive information, including a comprehensive list of users and their email addresses stored in the database, thereby compromising data privacy and security.

Affected Version(s)

Directory Listings WordPress plugin – uListing * < 1.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://blog.nintechnet.com/wordpress-ulisting-plugin-fix...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 7, 2023
Vulnerability Reserved
Jun 6, 2023

Credit

Jerome Bruandet