CVE-2021-4343
📋 TL;DR
This vulnerability in the Unauthenticated Account Creation plugin for WordPress allows unauthenticated attackers to create user accounts, including administrator accounts, without any authentication. It affects WordPress sites using the plugin up to version 1.6.6. Attackers can gain administrative access to vulnerable WordPress installations.
💻 Affected Systems
- WordPress Unauthenticated Account Creation plugin (also known as uListing plugin)
📦 What is this software?
Ulisting by Stylemixthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers create administrator accounts, take full control of the WordPress site, install malware, steal data, deface the site, or use it as a foothold for further attacks.
Likely Case
Attackers create administrator accounts and compromise the WordPress site for malicious purposes like SEO spam, phishing, or cryptocurrency mining.
If Mitigated
With proper controls like network segmentation and monitoring, impact is limited to the affected WordPress instance, but administrative compromise still occurs.
🎯 Exploit Status
Exploitation is simple - attackers can send crafted HTTP requests to the vulnerable AJAX endpoint without authentication. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.6.7 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Unauthenticated Account Creation' or 'uListing' plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 1.6.7+ from WordPress.org and replace the plugin files.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate ulisting
Block AJAX endpoint
linuxBlock access to the vulnerable AJAX endpoint via web server configuration
# For Apache: add to .htaccess
<Files "admin-ajax.php">
Order Allow,Deny
Deny from all
</Files>
# For Nginx: add to server block
location ~* /wp-admin/admin-ajax.php {
deny all;
}
🧯 If You Can't Patch
- Remove the plugin completely if not essential for site functionality
- Implement web application firewall (WAF) rules to block requests to the stm_listing_register AJAX action
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Unauthenticated Account Creation' or 'uListing' plugin version 1.6.6 or earlierCheck Version:
wp plugin list --name=ulisting --field=versionVerify Fix Applied:
Verify plugin version is 1.6.7 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=stm_listing_register
- Multiple user account creation events from single IP addresses
- Administrator account creation from unfamiliar IP addresses
Network Indicators:
- HTTP POST requests to WordPress AJAX endpoints with user registration parameters from unauthenticated sources
SIEM Query:
source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND post_data="action=stm_listing_register"🔗 References
- https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1c6bf45b-b02d-43bb-b682-7f1ae994e1d3?source=cve
- https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1c6bf45b-b02d-43bb-b682-7f1ae994e1d3?source=cve
