CVE-2026-28078

Vulnerability

Overview

The uListing plugin for WordPress, versions 2.2.0 and earlier, contains a path traversal vulnerability (CWE-22) in its file handling functionality. The software fails to properly restrict the pathname to a restricted directory, enabling an attacker to traverse outside the intended directory structure [1]. This flaw is classified as an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests that include path traversal sequences (e.g., ../) to download arbitrary files from the server. No authentication is required, and the attack can be performed remotely over the network. The vulnerability is considered moderately dangerous because it can be used in mass-exploit campaigns targeting thousands of WordPress sites simultaneously, regardless of site traffic or popularity [1].

Impact

Successful exploitation allows an attacker to download any file from the affected WordPress installation. This includes sensitive files such as wp-config.php (which contains database credentials), backup files, and other configuration files that may expose login credentials or secret keys. The CVSS. The CVSS v3 base score is 4.9 (Medium), reflecting a medium severity but with a high potential for real-world damage due to the ease of exploitation and the value of the exposed data [1].

Mitigation

As of the publication date (2026-03-05), the vendor has not released a patched version. The recommended immediate action is to update the plugin as soon as a fix becomes available. If updating is not possible, site administrators should consult with their hosting provider or web developer to implement workarounds, such as restricting access to the vulnerable endpoint via web application firewall rules or disabling the plugin until a patch is applied [1].