CVE-2021-4345

MEDIUM

uListing plugin <1.6.6 - Auth Bypass

Title source: llm
STIX 2.1

Description

The uListing plugin for WordPress is vulnerable to authorization bypass due to missing capability and nonce checks on the UlistingUserRole::save_role_api method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to remove or add roles, and add capabilities.

Scores

CVSS v3 6.5
EPSS 0.0073
EPSS Percentile 49.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (2)
stylemix/Directory Listings WordPress plugin – uListing < 1.7
stylemixthemes/ulisting < 1.6.6
Published Jun 07, 2023
Tracked Since Feb 18, 2026