CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36877 – WordPress uListing plugin <= 2.0.5 - Modify User Roles via Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2021-36877
27 Jul 2021 — Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to modify user roles. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el plugin uListing de WordPress (versiones anteriores a 2.0.5 incluyéndola) hace posible a atacantes modificar los roles de usuarios • https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-modify-user-roles-via-cross-site-request-forgery-csrf-vulnerability • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36876 – WordPress uListing plugin <= 2.0.5 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
https://notcve.org/view.php?id=CVE-2021-36876
27 Jul 2021 — Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in WordPress uListing plugin (versions <= 2.0.5) as it lacks CSRF checks on plugin administration pages. Múltiples vulnerabilidades de tipo Cross-Site Request Forgery (CSRF) en el plugin uListing de WordPress (versiones anteriores a 2.0.5 incluyéndola) ya que carece de comprobaciones de tipo CSRF en las páginas de administración del plugin • https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-multiple-cross-site-request-forgery-csrf-vulnerabilities • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36875 – WordPress uListing plugin <= 2.0.5 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2021-36875
27 Jul 2021 — Authenticated Reflected Cross-Site Scripting (XSS) vulnerability in WordPress uListing plugin (versions <= 2.0.5). Vulnerable parameters: &filter[id], &filter[user], &filter[expired_date], &filter[created_date], &filter[updated_date]. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado y Autenticado en el plugin uListing de WordPress (versiones anteriores a 2.0.5 incluyéndola). Parámetros vulnerables: &filter[id], &filter[user], &filter[expired_date], &filter[created_date], &... • https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-authenticated-reflected-cross-site-scripting-xss-vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36874 – WordPress uListing plugin <= 2.0.5 - Authenticated Insecure Direct Object References (IDOR) vulnerability
https://notcve.org/view.php?id=CVE-2021-36874
27 Jul 2021 — Authenticated Insecure Direct Object References (IDOR) vulnerability in WordPress uListing plugin (versions <= 2.0.5). Una vulnerabilidad de Referencias Directas a Objetos no Seguros (IDOR) en el plugin uListing de WordPress (versiones anteriores a 2.0.5 incluyéndola) • https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-authenticated-insecure-direct-object-references-idor-vulnerability • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 0CVE-2021-36880 – WordPress uListing plugin <= 2.0.3 - Unauthenticated SQL Injection (SQLi) vulnerability
https://notcve.org/view.php?id=CVE-2021-36880
26 Jul 2021 — Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom. Una vulnerabilidad de inyección SQL no autenticada (SQLi) en el plugin uListing de WordPress (versiones anteriores a 2.0.3 incluyéndola), parámetro vulnerable: custom • https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4381 – uListing <= 1.6.6 - Unauthenticated Options Changes via wp_route
https://notcve.org/view.php?id=CVE-2021-4381
28 Jan 2021 — The uListing plugin for WordPress is vulnerable to authorization bypass via wp_route due to missing capability checks, and a missing security nonce, in the StmListingSingleLayout::import_new_layout method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database. El plugin uListing para WordPress es vulnerable a la omisión de autorización a través de "wp_route" debido a la falta de comprobaciones de capacidad, y la falta de u... • https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4339 – uListing <= 1.6.6 - Unauthenticated Information Disclosure
https://notcve.org/view.php?id=CVE-2021-4339
28 Jan 2021 — The uListing plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the "ulisting/includes/route.php" file on the /1/api/ulisting-user/search REST-API route in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to retrieve the list of all users and their email address in the database. • https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4341 – uListing <= 1.6.6 - Unauthenticated Wordpress Options Changes via AJAX
https://notcve.org/view.php?id=CVE-2021-4341
28 Jan 2021 — The uListing plugin for WordPress is vulnerable to authorization bypass via Ajax due to missing capability checks, missing input validation, and a missing security nonce in the stm_update_email_data AJAX action in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database. • https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4343 – uListing <= 1.6.6 - Unauthenticated Arbitrary Account Creation
https://notcve.org/view.php?id=CVE-2021-4343
28 Jan 2021 — The Unauthenticated Account Creation plugin for WordPress is vulnerable to Unauthenticated Account Creation in versions up to, and including, 1.6.6. This is due to the stm_listing_register AJAX action function being accessible and taking roles unprotected. This makes it possible for unauthenticated attackers to create accounts, even those with administrator privileges. • https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4345 – uListing <= 1.6.6 - Unauthenticated Arbitrary Roles and Capabilities Creation/Deletion
https://notcve.org/view.php?id=CVE-2021-4345
28 Jan 2021 — The uListing plugin for WordPress is vulnerable to authorization bypass due to missing capability and nonce checks on the UlistingUserRole::save_role_api method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to remove or add roles, and add capabilities. • https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities • CWE-862: Missing Authorization •