WordPress Plugin Vulnerabilities

uListing < 1.7 - Missing Access Controls

Description

The plugin does not apply any kind of capability checks, or nonce checks to its AJAX actions and REST API endpoints, making it possible for unauthenticated attackers to conduct numerous administrative actions.

Affects Plugins

Plugin icon
ulisting
Fixed in 1.7

References

CVE
CVE-2021-4370
URL
https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Jerome Bruandet
Verified
No
WPVDB ID
5fb497bc-4652-4902-bc01-724ae22c1b0e

Timeline

Publicly Published
2021-01-28 (about 5 years ago)
Added
2023-06-08 (about 2 years ago)
Last Updated
2023-06-08 (about 2 years ago)

Other

Published
Title
Published
2019-08-09
Title
Woody Ad Snippets < 2.2.6 - Arbitrary Post Deletion
Published
2026-01-19
Title
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy < 4.2.5 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure
Published
2024-03-04
Title
Schema Pro < 2.7.16 - Contributor+ Custom Field Access
Published
2021-09-22
Title
Ninja Forms < 3.5.8 - Unprotected REST-API to Email Injection
Published
2024-06-28
Title
Patreon WordPress < 1.9.1 - Protection Mechanism Bypass