WordPress Plugin Vulnerabilities

uListing < 1.7 - Unauthenticated Arbitrary Post/Page Deletion

Description

The /1/api/ulisting-user/deletelisting REST route did not have any authorisation and CSRF checks in place, allowing unauthenticated usesr to delete any page or post.

Affects Plugins

Plugin icon
ulisting
Fixed in 1.7

References

CVE
CVE-2021-4357
URL
https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
8.2 (high)

Miscellaneous

Original Researcher
Jerome Bruandet
Verified
Yes
WPVDB ID
f53b1c0f-43c5-4bc4-b5e7-e286c15f6f2e

Timeline

Publicly Published
2021-01-28 (about 3 years ago)
Added
2021-01-28 (about 3 years ago)
Last Updated
2023-06-08 (about 11 months ago)

Other

Published
Title
Published
2021-10-25
Title
Age Gate < 2.17.1 - Unauthenticated Import Settings
Published
2021-09-20
Title
Multiple WooCommerce Add-Ons - Low Priv Arbitrary Blog Options Update/Access/Deletion & Plugin's Settings Update/Export/Import
Published
2021-12-27
Title
WP Post Page Clone < 1.2 - Unauthorised Post Access
Published
2021-05-26
Title
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Unauthenticated Redirect Import
Published
2021-01-28
Title
uListing < 1.7 - Unauthenticated Arbitrary Account Creation