Authorization Bypass in uListing Plugin for WordPress
CVE-2021-4381

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Directory Listings WordPress Plugin – Ulisting
Vendor: CVE Published:; 7 June 2023

What is CVE-2021-4381?

The uListing plugin for WordPress is affected by an authorization bypass vulnerability that arises from inadequate capability checks and the absence of a security nonce in the StmListingSingleLayout::import_new_layout method. This issue enables unauthenticated attackers to manipulate any WordPress option stored in the database, potentially leading to significant security risks for WordPress installations. It is crucial for users of the uListing plugin to update to the latest version to mitigate this vulnerability and protect their sites.

Affected Version(s)

Directory Listings WordPress plugin – uListing * < 1.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://blog.nintechnet.com/wordpress-ulisting-plugin-fix...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 7, 2023
Vulnerability Reserved
Jun 6, 2023

Credit

Jerome Bruandet

Wordpress

What is CVE-2021-4381?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit