The uListing plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the "ulisting/includes/route.php" file on the /1/api/ulisting-user/search REST-API route in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to retrieve the list of all users and their email address in the database.
References
Configurations
History
21 Nov 2024, 06:37
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
References | () https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/ - Exploit | |
References | () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail= - Release Notes | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/0a6615fd-7c37-45d9-a657-0ba00df840e5?source=cve - Third Party Advisory |
13 Jun 2023, 14:56
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-862 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
CPE | cpe:2.3:a:stylemixthemes:ulisting:*:*:*:*:*:wordpress:*:* | |
References | (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/0a6615fd-7c37-45d9-a657-0ba00df840e5?source=cve - Third Party Advisory | |
References | (MISC) https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail= - Release Notes | |
References | (MISC) https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/ - Exploit |
07 Jun 2023, 02:44
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-06-07 02:15
Updated : 2024-11-21 06:37
NVD link : CVE-2021-4339
Mitre link : CVE-2021-4339
CVE.ORG link : CVE-2021-4339
JSON object : View
Products Affected
stylemixthemes
- ulisting
CWE
CWE-862
Missing Authorization