CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4346 – uListing <= 1.6.6 - Unauthenticated Arbitrary Account Changes
https://notcve.org/view.php?id=CVE-2021-4346
The uListing plugin for WordPress is vulnerable to Unauthenticated Arbitrary Account Changes in versions up to, and including, 1.6.6. This is due to missing login checks on the stm_listing_profile_edit AJAX action. This makes it possible for unauthenticated attackers to edit any account on the blog, such as changing the admin account's email address. • https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/41800ea9-1ace-42fc-9e7f-d760a126342b?source=cve • CWE-862: Missing Authorization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4357 – uListing <= 1.6.6 - Unauthenticated Arbitrary Post/Page Deletion
https://notcve.org/view.php?id=CVE-2021-4357
The uListing plugin for WordPress is vulnerable to authorization bypass due to missing capability checks, and a missing security nonce, on the UlistingUserRole::save_role_api function in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to arbitrarily delete site posts and pages. • https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail= https://wordpress.org/plugins/ulisting/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/71aa14b8-39bc-4b91-a7cf-9d203fdf44ea?source=cve • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4370 – uListing <= 1.6.6 - Missing Authorization
https://notcve.org/view.php?id=CVE-2021-4370
The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated. This issue exists in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to conduct numerous administrative actions, including those less critical than the explicitly outlined ones in our detection. • https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/c5ada976-03b8-4219-9ae3-9060fb7b9de5?source=cve • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4381 – uListing <= 1.6.6 - Unauthenticated Options Changes via wp_route
https://notcve.org/view.php?id=CVE-2021-4381
The uListing plugin for WordPress is vulnerable to authorization bypass via wp_route due to missing capability checks, and a missing security nonce, in the StmListingSingleLayout::import_new_layout method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database. El plugin uListing para WordPress es vulnerable a la omisión de autorización a través de "wp_route" debido a la falta de comprobaciones de capacidad, y la falta de un nonce de seguridad, en el método "StmListingSingleLayout::import_new_layout" en versiones hasta la v1.6.6 inclusive. Esto hace posible que atacantes no autenticados cambien cualquier opción de WordPress en la base de datos. • https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/ff5755dc-2262-47f6-ac3a-6bca9529d088?source=cve • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-17229 – Motors – Car Dealer, Classifieds & Listing <= 1.4.0 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-17229
includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress has multiple stored XSS issues. El archivo includes/options.php en el plugin motors-car-dealership-classified-listings (también se conoce como Motors - Car Dealer & Classified Ads) versiones hasta 1.4.0 para WordPress, presenta múltiples problemas de tipo XSS almacenado. • https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-motors-car-dealer-classified-ads-plugin https://wordpress.org/plugins/motors-car-dealership-classified-listings/#developers https://wpvulndb.com/vulnerabilities/9884 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •