Critical severity9.8NVD Advisory· Published Jun 7, 2023· Updated Apr 8, 2026

CVE-2021-4370

Description

The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated. This issue exists in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to conduct numerous administrative actions, including those less critical than the explicitly outlined ones in our detection.

Affected products

Stylemixthemes/Ulisting
cpe:2.3:a:stylemixthemes:ulisting:*:*:*:*:*:wordpress:*:*
Range: <=1.6.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvdPatch
blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/nvdExploit
www.wordfence.com/threat-intel/vulnerabilities/id/c5ada976-03b8-4219-9ae3-9060fb7b9de5nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000