CVE-2021-4370
CRITICALuListing <= 1.6.6 - Unauthenticated Authorization Bypass via Missing Security Nonces
Title source: llmDescription
The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated. This issue exists in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to conduct numerous administrative actions, including those less critical than the explicitly outlined ones in our detection.
References (3)
Core 3
Core References
Scores
CVSS v3
9.8
EPSS
0.0140
EPSS Percentile
69.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (2)
stylemix/Directory Listings WordPress plugin – uListing
< 1.7
stylemixthemes/ulisting
< 1.6.6
Published
Jun 07, 2023
Tracked Since
Feb 18, 2026