WordPress Plugin Vulnerabilities

uListing < 2.0.6 - Multiple CSRF

Description

The plugin is lacking proper CSRF checks in multiple protected actions within wp-admin pages, leaving them vulnerable to CSRF attacks.

Proof of Concept

Affects Plugins

Plugin icon
ulisting
Fixed in 2.0.6

References

CVE
CVE-2021-36876

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Submitter
m0ze
Verified
Yes
WPVDB ID
fae06fbc-a128-43ff-8f2a-7886957d8881

Timeline

Publicly Published
2021-07-27 (about 4 years ago)
Added
2021-07-27 (about 4 years ago)
Last Updated
2022-04-15 (about 4 years ago)

Other

Published
Title
Published
2025-09-26
Title
VM Menu Reorder plugin <= 1.0.0 - Cross-Site Request Forgery to Settings Update
Published
2023-11-28
Title
Affiliate Booster < 3.0.6 - Blocks Enabling/Disabling via CSRF
Published
2023-09-04
Title
Hide Admin Notices < 2.3.3 - Settings Update via CSRF
Published
2023-12-27
Title
Inline Image Upload for BBPress < 1.1.19 - Cross-Site Request Forgery via hm_bbpui_admin_page
Published
2025-11-10
Title
YSlider <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting