CVE-2021-36880 – WordPress uListing plugin <= 2.0.3 - Unauthenticated SQL Injection (SQLi) vulnerability
https://notcve.org/view.php?id=CVE-2021-36880
Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom. Una vulnerabilidad de inyección SQL no autenticada (SQLi) en el plugin uListing de WordPress (versiones anteriores a 2.0.3 incluyéndola), parámetro vulnerable: custom • https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability https://wordpress.org/plugins/ulisting/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-4339 – uListing <= 1.6.6 - Unauthenticated Information Disclosure
https://notcve.org/view.php?id=CVE-2021-4339
The uListing plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the "ulisting/includes/route.php" file on the /1/api/ulisting-user/search REST-API route in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to retrieve the list of all users and their email address in the database. • https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/0a6615fd-7c37-45d9-a657-0ba00df840e5?source=cve • CWE-862: Missing Authorization •
CVE-2021-4345 – uListing <= 1.6.6 - Unauthenticated Arbitrary Roles and Capabilities Creation/Deletion
https://notcve.org/view.php?id=CVE-2021-4345
The uListing plugin for WordPress is vulnerable to authorization bypass due to missing capability and nonce checks on the UlistingUserRole::save_role_api method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to remove or add roles, and add capabilities. • https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/44e112a7-8f51-4d2a-a4b3-74a47ef3aec7?source=cve • CWE-862: Missing Authorization •
CVE-2021-4357 – uListing <= 1.6.6 - Unauthenticated Arbitrary Post/Page Deletion
https://notcve.org/view.php?id=CVE-2021-4357
The uListing plugin for WordPress is vulnerable to authorization bypass due to missing capability checks, and a missing security nonce, on the UlistingUserRole::save_role_api function in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to arbitrarily delete site posts and pages. • https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail= https://wordpress.org/plugins/ulisting/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/71aa14b8-39bc-4b91-a7cf-9d203fdf44ea?source=cve • CWE-862: Missing Authorization •
CVE-2021-4370 – uListing <= 1.6.6 - Missing Authorization
https://notcve.org/view.php?id=CVE-2021-4370
The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated. This issue exists in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to conduct numerous administrative actions, including those less critical than the explicitly outlined ones in our detection. • https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/c5ada976-03b8-4219-9ae3-9060fb7b9de5?source=cve • CWE-862: Missing Authorization •