CVE-2021-4339
📋 TL;DR
The uListing WordPress plugin up to version 1.6.6 has an authorization bypass vulnerability in its REST API endpoint. Unauthenticated attackers can exploit this to retrieve all user data including email addresses from the WordPress database. Any WordPress site using the vulnerable uListing plugin versions is affected.
💻 Affected Systems
- WordPress uListing plugin
📦 What is this software?
Ulisting by Stylemixthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers harvest all user email addresses and usernames, enabling targeted phishing campaigns, credential stuffing attacks, and user enumeration for further exploitation.
Likely Case
User data exposure leading to spam campaigns, targeted phishing, and potential account takeover attempts using the harvested information.
If Mitigated
Limited to user enumeration without direct system compromise, but still violates privacy and enables social engineering attacks.
🎯 Exploit Status
Simple HTTP GET request to vulnerable endpoint with no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.7 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find uListing plugin. 4. Click 'Update Now' if update available. 5. If no update available, download version 1.6.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable REST API endpoint
allAdd code to WordPress theme functions.php to block access to the vulnerable endpoint
add_filter('rest_pre_dispatch', function($result, $server, $request) { if (strpos($request->get_route(), '/ulisting-user/search') !== false) { return new WP_Error('rest_forbidden', 'Access forbidden', array('status' => 403)); } return $result; }, 10, 3);
Temporarily disable uListing plugin
linuxDeactivate the plugin until patched version is available
wp plugin deactivate ulisting
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to /1/api/ulisting-user/search endpoint
- Restrict access to WordPress REST API endpoints using .htaccess or nginx configuration
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for uListing plugin version. If version is 1.6.6 or lower, the site is vulnerable.Check Version:
wp plugin list --name=ulisting --field=versionVerify Fix Applied:
After updating, verify uListing plugin version shows 1.6.7 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to /wp-json/ulisting/v1/ulisting-user/search or /1/api/ulisting-user/search from unauthenticated users
- Unusual spikes in requests to WordPress REST API endpoints
Network Indicators:
- HTTP GET requests to user enumeration endpoints without authentication headers
- Traffic patterns showing enumeration of user data
SIEM Query:
source="web_logs" AND (uri_path="/wp-json/ulisting/v1/ulisting-user/search" OR uri_path="/1/api/ulisting-user/search") AND http_method="GET" AND NOT user_agent="WordPress/*"🔗 References
- https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0a6615fd-7c37-45d9-a657-0ba00df840e5?source=cve
- https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0a6615fd-7c37-45d9-a657-0ba00df840e5?source=cve
