CVE-2021-4370
published 2023-06-07CVE-2021-4370: The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.40%
69.1th percentile
The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated. This issue exists in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to conduct numerous administrative actions, including those less critical than the explicitly outlined ones in our detection.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | microsoft_exchange_server_2013_cumulative_update_23 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_18 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_19 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_7 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_8 | — | — |
| stylemix | directory_listings_wordpress_plugin_ulisting | < 1.7 | 1.7 |
| stylemixthemes | ulisting | <= 1.6.6 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mwfr-f8cq-76v9: The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack se
ghsa_unreviewed·2023-06-07
CVE-2021-4370 [CRITICAL] CWE-862 GHSA-mwfr-f8cq-76v9: The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack se
The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated. This issue exists in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to conduct numerous administrative actions, including those less critical than the explicitly outlined ones in our detection.
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 9.1
CVE-2021-27078 [CRITICAL] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server: Microsoft Exchange Server
Microsoft: Microsoft
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely;DOS:N/A
Reference: http://www.microsoft.com/download/details.aspx?familyid=31211a48-0cef-462e-bb11-c36440f80bb3
Reference: https://support.microsoft.com/help/5000871
Reference: https://www.microsoft.com/download/details.aspx?familyid=18c75641-e53d-4979-8d5e-29a80674e41f
Reference: http://www.microsoft.com/download/details.aspx?familyid=1255ecd7-b187-4839-96c9-1fc5e05df7b6
Reference: http://www.microsoft.com/download/details.aspx?familyid=2aadda14-b8aa-4370-a492-0a6818facce
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 6.6
CVE-2021-26854 [MEDIUM] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server: Microsoft Exchange Server
Microsoft: Microsoft
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely;DOS:N/A
Reference: http://www.microsoft.com/download/details.aspx?familyid=31211a48-0cef-462e-bb11-c36440f80bb3
Reference: https://support.microsoft.com/help/5000871
Reference: https://www.microsoft.com/download/details.aspx?familyid=18c75641-e53d-4979-8d5e-29a80674e41f
Reference: http://www.microsoft.com/download/details.aspx?familyid=1255ecd7-b187-4839-96c9-1fc5e05df7b6
Reference: http://www.microsoft.com/download/details.aspx?familyid=2aadda14-b8aa-4370-a492-0a6818facce
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 9.1
CVE-2021-26412 [CRITICAL] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server: Microsoft Exchange Server
Microsoft: Microsoft
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely;DOS:N/A
Reference: http://www.microsoft.com/download/details.aspx?familyid=1255ecd7-b187-4839-96c9-1fc5e05df7b6
Reference: https://support.microsoft.com/help/5000871
Reference: http://www.microsoft.com/download/details.aspx?familyid=2aadda14-b8aa-4370-a492-0a6818facce8
Reference: http://www.microsoft.com/download/details.aspx?familyid=192fa60f-664a-4f3e-b19f-e295135e469b
Reference: http://www.microsoft.com/download/details.aspx?familyid=31211a48-0cef-462e-bb11-c36440f80bb3
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/c5ada976-03b8-4219-9ae3-9060fb7b9de5?source=cvehttps://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/c5ada976-03b8-4219-9ae3-9060fb7b9de5?source=cve
2023-06-07
Published