CVE-2021-4345

State: PUBLISHED · Published: 2023-06-07 · Updated: 2026-04-08 · Assigner: Wordfence

Description

The uListing plugin for WordPress is vulnerable to authorization bypass due to missing capability and nonce checks on the UlistingUserRole::save_role_api method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to remove or add roles, and add capabilities.

CWE

CWE-862 — CWE-862 Missing Authorization

Affected

stylemix / Directory Listings WordPress plugin – uListing — v=0 <1.7 [affected]

CVSS

3.1 score=6.5 severity=MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/44e112a7-8f51-4d2a-a4b3-74a47ef3aec7?source=cve
https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail=

Source

cvelistV5-main/cves/2021/4xxx/CVE-2021-4345.json