CVE-2021-4346
📋 TL;DR
The uListing WordPress plugin up to version 1.6.6 has an authentication bypass vulnerability that allows unauthenticated attackers to modify any user account, including administrators. This occurs because the stm_listing_profile_edit AJAX action lacks proper login verification. All WordPress sites using vulnerable uListing plugin versions are affected.
💻 Affected Systems
- WordPress uListing Plugin
📦 What is this software?
Ulisting by Stylemixthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could take over the WordPress site by changing admin credentials, install backdoors, deface the site, or exfiltrate sensitive data.
Likely Case
Attackers will change admin email addresses to gain password reset access, then compromise the site for malicious purposes like SEO spam or malware distribution.
If Mitigated
With proper web application firewalls and monitoring, attacks can be blocked and detected before significant damage occurs.
🎯 Exploit Status
Simple HTTP POST request to vulnerable AJAX endpoint with minimal technical skill required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.7 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find uListing plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.6.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable uListing Plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate ulisting
Web Application Firewall Rule
allBlock requests to the vulnerable AJAX endpoint
Block POST requests to /wp-admin/admin-ajax.php with action=stm_listing_profile_edit
🧯 If You Can't Patch
- Disable the uListing plugin immediately
- Implement strict network monitoring for suspicious AJAX requests to admin-ajax.php
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for uListing version 1.6.6 or earlierCheck Version:
wp plugin get ulisting --field=versionVerify Fix Applied:
Confirm uListing plugin version is 1.6.7 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=stm_listing_profile_edit from unauthenticated IPs
- Multiple user profile update events from single IP
Network Indicators:
- Unusual spikes in requests to admin-ajax.php endpoint
- POST requests with user_email parameter modifications
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="stm_listing_profile_edit" AND NOT user_authenticated=true🔗 References
- https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/41800ea9-1ace-42fc-9e7f-d760a126342b?source=cve
- https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/41800ea9-1ace-42fc-9e7f-d760a126342b?source=cve
