Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
12 vulnerabilities found for uListing (WordPress plugin) by StylemixThemes
CVE-2021-36880 (GCVE-0-2021-36880)
Vulnerability from nvd – Published: 2021-09-27 15:32 – Updated: 2025-03-28 16:50
VLAI?
Title
WordPress uListing plugin <= 2.0.3 - Unauthenticated SQL Injection (SQLi) vulnerability
Summary
Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom.
Severity ?
8.6 (High)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StylemixThemes | uListing (WordPress plugin) |
Affected:
<= 2.0.3 , ≤ 2.0.3
(custom)
|
Date Public ?
2021-07-26 00:00
Credits
Original researcher - m0ze (Patchstack Red Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.679Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36880",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:50:50.787554Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:50:55.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uListing (WordPress plugin)",
"vendor": "StylemixThemes",
"versions": [
{
"lessThanOrEqual": "2.0.3",
"status": "affected",
"version": "\u003c= 2.0.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"datePublic": "2021-07-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.3), vulnerable parameter: custom."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-27T15:32:46.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.0.4 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress uListing plugin \u003c= 2.0.3 - Unauthenticated SQL Injection (SQLi) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-07-26T07:34:00.000Z",
"ID": "CVE-2021-36880",
"STATE": "PUBLIC",
"TITLE": "WordPress uListing plugin \u003c= 2.0.3 - Unauthenticated SQL Injection (SQLi) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "uListing (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.0.3",
"version_value": "2.0.3"
}
]
}
}
]
},
"vendor_name": "StylemixThemes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.3), vulnerable parameter: custom."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/ulisting/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.0.4 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36880",
"datePublished": "2021-09-27T15:32:46.608Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-03-28T16:50:55.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36879 (GCVE-0-2021-36879)
Vulnerability from nvd – Published: 2021-09-27 15:32 – Updated: 2025-03-28 16:53
VLAI?
Title
WordPress uListing plugin <= 2.0.5 - Unauthenticated Privilege Escalation vulnerability
Summary
Unauthenticated Privilege Escalation vulnerability in WordPress uListing plugin (versions <= 2.0.5). Possible if WordPress configuration allows user registration.
Severity ?
9.8 (Critical)
CWE
- CWE-264 - Permissions, Privileges, and Access Controls
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StylemixThemes | uListing (WordPress plugin) |
Affected:
<= 2.0.5 , ≤ 2.0.5
(custom)
|
Date Public ?
2021-07-27 00:00
Credits
Original researcher - m0ze (Patchstack Red Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-unauthenticated-privilege-escalation-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:53:03.779317Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:53:09.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uListing (WordPress plugin)",
"vendor": "StylemixThemes",
"versions": [
{
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "\u003c= 2.0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"datePublic": "2021-07-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated Privilege Escalation vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5). Possible if WordPress configuration allows user registration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-27T15:32:14.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-unauthenticated-privilege-escalation-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress uListing plugin \u003c= 2.0.5 - Unauthenticated Privilege Escalation vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-07-27T05:17:00.000Z",
"ID": "CVE-2021-36879",
"STATE": "PUBLIC",
"TITLE": "WordPress uListing plugin \u003c= 2.0.5 - Unauthenticated Privilege Escalation vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "uListing (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.0.5",
"version_value": "2.0.5"
}
]
}
}
]
},
"vendor_name": "StylemixThemes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unauthenticated Privilege Escalation vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5). Possible if WordPress configuration allows user registration."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-264 Permissions, Privileges, and Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/ulisting/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-unauthenticated-privilege-escalation-vulnerability",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-unauthenticated-privilege-escalation-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36879",
"datePublished": "2021-09-27T15:32:14.511Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-03-28T16:53:09.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36877 (GCVE-0-2021-36877)
Vulnerability from nvd – Published: 2021-09-27 15:32 – Updated: 2025-03-28 16:51
VLAI?
Title
WordPress uListing plugin <= 2.0.5 - Modify User Roles via Cross-Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to modify user roles.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StylemixThemes | uListing (WordPress plugin) |
Affected:
<= 2.0.5 , ≤ 2.0.5
(custom)
|
Date Public ?
2021-07-27 00:00
Credits
Original researcher - m0ze (Patchstack Red Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-modify-user-roles-via-cross-site-request-forgery-csrf-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36877",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:51:44.104961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:51:49.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uListing (WordPress plugin)",
"vendor": "StylemixThemes",
"versions": [
{
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "\u003c= 2.0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"datePublic": "2021-07-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5) makes it possible for attackers to modify user roles."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-27T15:32:29.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-modify-user-roles-via-cross-site-request-forgery-csrf-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress uListing plugin \u003c= 2.0.5 - Modify User Roles via Cross-Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-07-27T04:34:00.000Z",
"ID": "CVE-2021-36877",
"STATE": "PUBLIC",
"TITLE": "WordPress uListing plugin \u003c= 2.0.5 - Modify User Roles via Cross-Site Request Forgery (CSRF) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "uListing (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.0.5",
"version_value": "2.0.5"
}
]
}
}
]
},
"vendor_name": "StylemixThemes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5) makes it possible for attackers to modify user roles."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/ulisting/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-modify-user-roles-via-cross-site-request-forgery-csrf-vulnerability",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-modify-user-roles-via-cross-site-request-forgery-csrf-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36877",
"datePublished": "2021-09-27T15:32:29.761Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-03-28T16:51:49.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36876 (GCVE-0-2021-36876)
Vulnerability from nvd – Published: 2021-09-27 15:32 – Updated: 2025-03-28 16:52
VLAI?
Title
WordPress uListing plugin <= 2.0.5 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
Summary
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in WordPress uListing plugin (versions <= 2.0.5) as it lacks CSRF checks on plugin administration pages.
Severity ?
5.4 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StylemixThemes | uListing (WordPress plugin) |
Affected:
<= 2.0.5 , ≤ 2.0.5
(custom)
|
Date Public ?
2021-07-27 00:00
Credits
Original researcher - m0ze (Patchstack Red Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.728Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-multiple-cross-site-request-forgery-csrf-vulnerabilities"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:52:48.227295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:52:51.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uListing (WordPress plugin)",
"vendor": "StylemixThemes",
"versions": [
{
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "\u003c= 2.0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"datePublic": "2021-07-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in WordPress uListing plugin (versions \u003c= 2.0.5) as it lacks CSRF checks on plugin administration pages."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-27T15:32:23.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-multiple-cross-site-request-forgery-csrf-vulnerabilities"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress uListing plugin \u003c= 2.0.5 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-07-27T04:29:00.000Z",
"ID": "CVE-2021-36876",
"STATE": "PUBLIC",
"TITLE": "WordPress uListing plugin \u003c= 2.0.5 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "uListing (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.0.5",
"version_value": "2.0.5"
}
]
}
}
]
},
"vendor_name": "StylemixThemes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in WordPress uListing plugin (versions \u003c= 2.0.5) as it lacks CSRF checks on plugin administration pages."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/ulisting/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-multiple-cross-site-request-forgery-csrf-vulnerabilities",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-multiple-cross-site-request-forgery-csrf-vulnerabilities"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36876",
"datePublished": "2021-09-27T15:32:23.393Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-03-28T16:52:51.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36874 (GCVE-0-2021-36874)
Vulnerability from nvd – Published: 2021-09-27 15:32 – Updated: 2025-03-28 16:51
VLAI?
Title
WordPress uListing plugin <= 2.0.5 - Authenticated Insecure Direct Object References (IDOR) vulnerability
Summary
Authenticated Insecure Direct Object References (IDOR) vulnerability in WordPress uListing plugin (versions <= 2.0.5).
Severity ?
7.1 (High)
CWE
- Insecure Direct Object Reference (IDOR)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StylemixThemes | uListing (WordPress plugin) |
Affected:
<= 2.0.5 , ≤ 2.0.5
(custom)
|
Date Public ?
2021-07-27 00:00
Credits
Original researcher - m0ze (Patchstack Red Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.840Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-authenticated-insecure-direct-object-references-idor-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36874",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:51:26.809134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:51:29.649Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uListing (WordPress plugin)",
"vendor": "StylemixThemes",
"versions": [
{
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "\u003c= 2.0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"datePublic": "2021-07-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Authenticated Insecure Direct Object References (IDOR) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Direct Object Reference (IDOR)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-27T15:32:39.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-authenticated-insecure-direct-object-references-idor-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress uListing plugin \u003c= 2.0.5 - Authenticated Insecure Direct Object References (IDOR) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-07-27T04:22:00.000Z",
"ID": "CVE-2021-36874",
"STATE": "PUBLIC",
"TITLE": "WordPress uListing plugin \u003c= 2.0.5 - Authenticated Insecure Direct Object References (IDOR) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "uListing (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.0.5",
"version_value": "2.0.5"
}
]
}
}
]
},
"vendor_name": "StylemixThemes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated Insecure Direct Object References (IDOR) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object Reference (IDOR)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/ulisting/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-authenticated-insecure-direct-object-references-idor-vulnerability",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-authenticated-insecure-direct-object-references-idor-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36874",
"datePublished": "2021-09-27T15:32:39.576Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-03-28T16:51:29.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36878 (GCVE-0-2021-36878)
Vulnerability from nvd – Published: 2021-09-27 14:12 – Updated: 2025-03-28 16:53
VLAI?
Title
WordPress uListing plugin <= 2.0.5 - Settings Update via Cross-Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to update settings.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StylemixThemes | uListing (WordPress plugin) |
Affected:
<= 2.0.5 , ≤ 2.0.5
(custom)
|
Date Public ?
2021-07-27 00:00
Credits
Original researcher - m0ze (Patchstack Red Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-settings-update-via-cross-site-request-forgery-csrf-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:53:22.009086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:53:24.538Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uListing (WordPress plugin)",
"vendor": "StylemixThemes",
"versions": [
{
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "\u003c= 2.0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"datePublic": "2021-07-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5) makes it possible for attackers to update settings."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-27T14:12:59.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-settings-update-via-cross-site-request-forgery-csrf-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress uListing plugin \u003c= 2.0.5 - Settings Update via Cross-Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-07-27T04:44:00.000Z",
"ID": "CVE-2021-36878",
"STATE": "PUBLIC",
"TITLE": "WordPress uListing plugin \u003c= 2.0.5 - Settings Update via Cross-Site Request Forgery (CSRF) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "uListing (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.0.5",
"version_value": "2.0.5"
}
]
}
}
]
},
"vendor_name": "StylemixThemes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5) makes it possible for attackers to update settings."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/ulisting/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-settings-update-via-cross-site-request-forgery-csrf-vulnerability",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-settings-update-via-cross-site-request-forgery-csrf-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36878",
"datePublished": "2021-09-27T14:12:59.645Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-03-28T16:53:24.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36880 (GCVE-0-2021-36880)
Vulnerability from cvelistv5 – Published: 2021-09-27 15:32 – Updated: 2025-03-28 16:50
VLAI?
Title
WordPress uListing plugin <= 2.0.3 - Unauthenticated SQL Injection (SQLi) vulnerability
Summary
Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom.
Severity ?
8.6 (High)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StylemixThemes | uListing (WordPress plugin) |
Affected:
<= 2.0.3 , ≤ 2.0.3
(custom)
|
Date Public ?
2021-07-26 00:00
Credits
Original researcher - m0ze (Patchstack Red Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.679Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36880",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:50:50.787554Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:50:55.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uListing (WordPress plugin)",
"vendor": "StylemixThemes",
"versions": [
{
"lessThanOrEqual": "2.0.3",
"status": "affected",
"version": "\u003c= 2.0.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"datePublic": "2021-07-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.3), vulnerable parameter: custom."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-27T15:32:46.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.0.4 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress uListing plugin \u003c= 2.0.3 - Unauthenticated SQL Injection (SQLi) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-07-26T07:34:00.000Z",
"ID": "CVE-2021-36880",
"STATE": "PUBLIC",
"TITLE": "WordPress uListing plugin \u003c= 2.0.3 - Unauthenticated SQL Injection (SQLi) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "uListing (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.0.3",
"version_value": "2.0.3"
}
]
}
}
]
},
"vendor_name": "StylemixThemes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.3), vulnerable parameter: custom."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/ulisting/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.0.4 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36880",
"datePublished": "2021-09-27T15:32:46.608Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-03-28T16:50:55.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36874 (GCVE-0-2021-36874)
Vulnerability from cvelistv5 – Published: 2021-09-27 15:32 – Updated: 2025-03-28 16:51
VLAI?
Title
WordPress uListing plugin <= 2.0.5 - Authenticated Insecure Direct Object References (IDOR) vulnerability
Summary
Authenticated Insecure Direct Object References (IDOR) vulnerability in WordPress uListing plugin (versions <= 2.0.5).
Severity ?
7.1 (High)
CWE
- Insecure Direct Object Reference (IDOR)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StylemixThemes | uListing (WordPress plugin) |
Affected:
<= 2.0.5 , ≤ 2.0.5
(custom)
|
Date Public ?
2021-07-27 00:00
Credits
Original researcher - m0ze (Patchstack Red Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.840Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-authenticated-insecure-direct-object-references-idor-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36874",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:51:26.809134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:51:29.649Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uListing (WordPress plugin)",
"vendor": "StylemixThemes",
"versions": [
{
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "\u003c= 2.0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"datePublic": "2021-07-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Authenticated Insecure Direct Object References (IDOR) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Direct Object Reference (IDOR)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-27T15:32:39.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-authenticated-insecure-direct-object-references-idor-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress uListing plugin \u003c= 2.0.5 - Authenticated Insecure Direct Object References (IDOR) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-07-27T04:22:00.000Z",
"ID": "CVE-2021-36874",
"STATE": "PUBLIC",
"TITLE": "WordPress uListing plugin \u003c= 2.0.5 - Authenticated Insecure Direct Object References (IDOR) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "uListing (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.0.5",
"version_value": "2.0.5"
}
]
}
}
]
},
"vendor_name": "StylemixThemes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated Insecure Direct Object References (IDOR) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object Reference (IDOR)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/ulisting/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-authenticated-insecure-direct-object-references-idor-vulnerability",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-authenticated-insecure-direct-object-references-idor-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36874",
"datePublished": "2021-09-27T15:32:39.576Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-03-28T16:51:29.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36877 (GCVE-0-2021-36877)
Vulnerability from cvelistv5 – Published: 2021-09-27 15:32 – Updated: 2025-03-28 16:51
VLAI?
Title
WordPress uListing plugin <= 2.0.5 - Modify User Roles via Cross-Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to modify user roles.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StylemixThemes | uListing (WordPress plugin) |
Affected:
<= 2.0.5 , ≤ 2.0.5
(custom)
|
Date Public ?
2021-07-27 00:00
Credits
Original researcher - m0ze (Patchstack Red Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-modify-user-roles-via-cross-site-request-forgery-csrf-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36877",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:51:44.104961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:51:49.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uListing (WordPress plugin)",
"vendor": "StylemixThemes",
"versions": [
{
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "\u003c= 2.0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"datePublic": "2021-07-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5) makes it possible for attackers to modify user roles."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-27T15:32:29.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-modify-user-roles-via-cross-site-request-forgery-csrf-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress uListing plugin \u003c= 2.0.5 - Modify User Roles via Cross-Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-07-27T04:34:00.000Z",
"ID": "CVE-2021-36877",
"STATE": "PUBLIC",
"TITLE": "WordPress uListing plugin \u003c= 2.0.5 - Modify User Roles via Cross-Site Request Forgery (CSRF) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "uListing (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.0.5",
"version_value": "2.0.5"
}
]
}
}
]
},
"vendor_name": "StylemixThemes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5) makes it possible for attackers to modify user roles."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/ulisting/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-modify-user-roles-via-cross-site-request-forgery-csrf-vulnerability",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-modify-user-roles-via-cross-site-request-forgery-csrf-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36877",
"datePublished": "2021-09-27T15:32:29.761Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-03-28T16:51:49.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36876 (GCVE-0-2021-36876)
Vulnerability from cvelistv5 – Published: 2021-09-27 15:32 – Updated: 2025-03-28 16:52
VLAI?
Title
WordPress uListing plugin <= 2.0.5 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
Summary
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in WordPress uListing plugin (versions <= 2.0.5) as it lacks CSRF checks on plugin administration pages.
Severity ?
5.4 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StylemixThemes | uListing (WordPress plugin) |
Affected:
<= 2.0.5 , ≤ 2.0.5
(custom)
|
Date Public ?
2021-07-27 00:00
Credits
Original researcher - m0ze (Patchstack Red Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.728Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-multiple-cross-site-request-forgery-csrf-vulnerabilities"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:52:48.227295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:52:51.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uListing (WordPress plugin)",
"vendor": "StylemixThemes",
"versions": [
{
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "\u003c= 2.0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"datePublic": "2021-07-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in WordPress uListing plugin (versions \u003c= 2.0.5) as it lacks CSRF checks on plugin administration pages."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-27T15:32:23.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-multiple-cross-site-request-forgery-csrf-vulnerabilities"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress uListing plugin \u003c= 2.0.5 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-07-27T04:29:00.000Z",
"ID": "CVE-2021-36876",
"STATE": "PUBLIC",
"TITLE": "WordPress uListing plugin \u003c= 2.0.5 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "uListing (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.0.5",
"version_value": "2.0.5"
}
]
}
}
]
},
"vendor_name": "StylemixThemes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in WordPress uListing plugin (versions \u003c= 2.0.5) as it lacks CSRF checks on plugin administration pages."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/ulisting/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-multiple-cross-site-request-forgery-csrf-vulnerabilities",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-multiple-cross-site-request-forgery-csrf-vulnerabilities"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36876",
"datePublished": "2021-09-27T15:32:23.393Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-03-28T16:52:51.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36879 (GCVE-0-2021-36879)
Vulnerability from cvelistv5 – Published: 2021-09-27 15:32 – Updated: 2025-03-28 16:53
VLAI?
Title
WordPress uListing plugin <= 2.0.5 - Unauthenticated Privilege Escalation vulnerability
Summary
Unauthenticated Privilege Escalation vulnerability in WordPress uListing plugin (versions <= 2.0.5). Possible if WordPress configuration allows user registration.
Severity ?
9.8 (Critical)
CWE
- CWE-264 - Permissions, Privileges, and Access Controls
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StylemixThemes | uListing (WordPress plugin) |
Affected:
<= 2.0.5 , ≤ 2.0.5
(custom)
|
Date Public ?
2021-07-27 00:00
Credits
Original researcher - m0ze (Patchstack Red Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-unauthenticated-privilege-escalation-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:53:03.779317Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:53:09.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uListing (WordPress plugin)",
"vendor": "StylemixThemes",
"versions": [
{
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "\u003c= 2.0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"datePublic": "2021-07-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated Privilege Escalation vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5). Possible if WordPress configuration allows user registration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-27T15:32:14.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-unauthenticated-privilege-escalation-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress uListing plugin \u003c= 2.0.5 - Unauthenticated Privilege Escalation vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-07-27T05:17:00.000Z",
"ID": "CVE-2021-36879",
"STATE": "PUBLIC",
"TITLE": "WordPress uListing plugin \u003c= 2.0.5 - Unauthenticated Privilege Escalation vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "uListing (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.0.5",
"version_value": "2.0.5"
}
]
}
}
]
},
"vendor_name": "StylemixThemes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unauthenticated Privilege Escalation vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5). Possible if WordPress configuration allows user registration."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-264 Permissions, Privileges, and Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/ulisting/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-unauthenticated-privilege-escalation-vulnerability",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-unauthenticated-privilege-escalation-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36879",
"datePublished": "2021-09-27T15:32:14.511Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-03-28T16:53:09.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36878 (GCVE-0-2021-36878)
Vulnerability from cvelistv5 – Published: 2021-09-27 14:12 – Updated: 2025-03-28 16:53
VLAI?
Title
WordPress uListing plugin <= 2.0.5 - Settings Update via Cross-Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to update settings.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StylemixThemes | uListing (WordPress plugin) |
Affected:
<= 2.0.5 , ≤ 2.0.5
(custom)
|
Date Public ?
2021-07-27 00:00
Credits
Original researcher - m0ze (Patchstack Red Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-settings-update-via-cross-site-request-forgery-csrf-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:53:22.009086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:53:24.538Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uListing (WordPress plugin)",
"vendor": "StylemixThemes",
"versions": [
{
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "\u003c= 2.0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"datePublic": "2021-07-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5) makes it possible for attackers to update settings."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-27T14:12:59.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-settings-update-via-cross-site-request-forgery-csrf-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress uListing plugin \u003c= 2.0.5 - Settings Update via Cross-Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-07-27T04:44:00.000Z",
"ID": "CVE-2021-36878",
"STATE": "PUBLIC",
"TITLE": "WordPress uListing plugin \u003c= 2.0.5 - Settings Update via Cross-Site Request Forgery (CSRF) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "uListing (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.0.5",
"version_value": "2.0.5"
}
]
}
}
]
},
"vendor_name": "StylemixThemes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - m0ze (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5) makes it possible for attackers to update settings."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/ulisting/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/ulisting/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-settings-update-via-cross-site-request-forgery-csrf-vulnerability",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-settings-update-via-cross-site-request-forgery-csrf-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.0.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36878",
"datePublished": "2021-09-27T14:12:59.645Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-03-28T16:53:24.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}