Directory Listings Wordpress Plugin – Ulisting
Approved changes feed: RSS · Atom
cpe:2.3:a:stylemix:directory_listings_wordpress_plugin_–_ulisting:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Stylemix (c2170171-f70b-5bf4-89aa-da5048b14251) |
|---|---|
| Product | Directory Listings Wordpress Plugin – Ulisting (c874d5d1-4708-5c93-8825-1691cedc3caa) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-1657 |
vulnerable | 2026-06-08 07:08:37.513546 |
Directory Listings WordPress plugin – uListing <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update and PHP Object Injection
HIGH (8.8)
The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update post meta data and inject PHP Objects that may be unserialized. A capability check was added in 2.1.8, but the unserialize is still present.
Published: 2025-03-15T02:22:41.764Z
Updated: 2026-04-08T16:35:28.754Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1653 |
vulnerable | 2026-06-08 07:08:37.508647 |
Directory Listings WordPress plugin – uListing <= 2.2.0 - Authenticated (Subscriber+) Privilege Escalation
HIGH (8.8)
The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.0. This is due to the stm_listing_profile_edit AJAX action not having enough restriction on the user meta that can be updated. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
Published: 2025-03-15T02:22:42.443Z
Updated: 2026-04-08T16:48:42.905Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-4381 |
vulnerable | 2026-06-08 05:38:09.303952 |
uListing <= 1.6.6 - Unauthenticated Options Changes via wp_route
CRITICAL (9.8)
The uListing plugin for WordPress is vulnerable to authorization bypass via wp_route due to missing capability checks, and a missing security nonce, in the StmListingSingleLayout::import_new_layout method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database.
Published: 2023-06-07T01:51:54.750Z
Updated: 2026-04-08T17:35:19.600Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-4370 |
vulnerable | 2026-06-08 05:38:09.285165 |
uListing <= 1.6.6 - Missing Authorization
CRITICAL (9.8)
The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated. This issue exists in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to conduct numerous administrative actions, including those less critical than the explicitly outlined ones in our detection.
Published: 2023-06-07T01:51:43.279Z
Updated: 2026-04-08T17:20:57.382Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-4357 |
vulnerable | 2026-06-08 05:38:09.261753 |
uListing <= 1.6.6 - Unauthenticated Arbitrary Post/Page Deletion
CRITICAL (9.1)
The uListing plugin for WordPress is vulnerable to authorization bypass due to missing capability checks, and a missing security nonce, on the UlistingUserRole::save_role_api function in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to arbitrarily delete site posts and pages.
Published: 2023-06-07T01:51:26.007Z
Updated: 2026-04-08T17:00:37.828Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-4346 |
vulnerable | 2026-06-08 05:38:09.243630 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-4345 |
vulnerable | 2026-06-08 05:38:09.243121 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-4343 |
vulnerable | 2026-06-08 05:38:09.238918 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-4341 |
vulnerable | 2026-06-08 05:38:09.238358 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-4340 |
vulnerable | 2026-06-08 05:38:09.237960 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-4339 |
vulnerable | 2026-06-08 05:38:09.236263 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-36875 |
vulnerable | 2026-06-08 05:32:52.652465 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.