WordPress Plugin Vulnerabilities

uListing < 2.0.6 - Reflected Cross-Site Scripting

Description

An Authenticated Reflected XSS vulnerability was discovered in the plugin.

Vulnerable parameter(s): &filter[id], &filter[user], &filter[expired_date], &filter[created_date], &filter[updated_date].

WPNonce is present in the original requests, but doesn't pass the correct check, as a result of which it doesn't work.

Proof of Concept

Affects Plugins

Plugin icon
ulisting
Fixed in 2.0.6

References

CVE
CVE-2021-36875

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Submitter
m0ze
Verified
Yes
WPVDB ID
5c902fac-f9fe-4763-8894-f52ed0d5d4a3

Timeline

Publicly Published
2021-07-27 (about 4 years ago)
Added
2021-07-27 (about 4 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2025-01-16
Title
Blrt WP Embed <= 1.6.9 - Reflected Cross-Site Scripting
Published
2022-03-29
Title
Anti-Malware Security and Brute-Force Firewall < 4.20.96 - Reflected Cross-Site Scripting
Published
2023-10-11
Title
Master Addons for Elementor < 2.0.4 - Contributor+ Stored XSS
Published
2025-01-07
Title
Alpha Price Table For Elementor <= 1.2.0 - Contributor+ Stored XSS
Published
2022-06-14
Title
Custom Popup Builder <= 1.3.1 - Contributor+ Stored Cross-Site Scripting