WordPress Plugin Vulnerabilities

uListing < 2.0.4 - Unauthenticated SQL Injection

Description

An Unauthenticated SQL Injection vulnerability was discovered in the plugin.

Vulnerable parameter(s): custom.

SQL Injection type(s): Error-based, Boolean-based Blind, Time-based Blind.

Proof of Concept

Affects Plugins

Plugin icon
ulisting
Fixed in 2.0.4

References

CVE
CVE-2021-36880

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.5 (high)

Miscellaneous

Submitter
m0ze
Verified
Yes
WPVDB ID
7b32e28e-9092-4ecc-95d0-a2b9464b4a9c

Timeline

Publicly Published
2021-07-26 (about 4 years ago)
Added
2021-07-27 (about 4 years ago)
Last Updated
2022-04-15 (about 3 years ago)

Other

Published
Title
Published
2025-05-20
Title
Likes and Dislikes Plugin <= 1.0.0 - Unauthenticated SQL Injection
Published
2023-12-21
Title
Squirrly SEO - Advanced Pack <= 2.3.8 - Authenticated(Administrator+) SQL Injection
Published
2014-08-01
Title
ActiveHelper LiveHelp Server 3.2.2 - server/import/tracker.php Multiple Parameter SQL Injection
Published
2025-03-24
Title
JiangQie Official Website Mini Program <= 1.8.2 - Authenticated (Administrator+) SQL Injection
Published
2025-01-29
Title
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory < 2.8.98 - Unauthenticated SQL Injection