CVE-2021-4381
📋 TL;DR
The uListing WordPress plugin up to version 1.6.6 has an authorization bypass vulnerability that allows unauthenticated attackers to modify any WordPress option in the database. This occurs due to missing capability checks and security nonces in the import_new_layout method. Any WordPress site using the vulnerable uListing plugin is affected.
💻 Affected Systems
- WordPress uListing Plugin
📦 What is this software?
Ulisting by Stylemixthemes
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover: attackers could modify critical WordPress options like admin credentials, site URL, or enable remote code execution plugins.
Likely Case
Site defacement, data manipulation, or installation of backdoors through WordPress option modification.
If Mitigated
Limited impact with proper network segmentation and web application firewalls blocking unauthorized requests.
🎯 Exploit Status
Simple HTTP POST requests can trigger the vulnerability without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.7 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find uListing plugin and click 'Update Now'. 4. Verify version is 1.6.7 or higher.
🔧 Temporary Workarounds
Disable uListing Plugin
allTemporarily deactivate the vulnerable plugin until patched.
wp plugin deactivate ulisting
Web Application Firewall Rule
allBlock requests to the vulnerable endpoint.
Block POST requests to */wp-json/ulisting/v1/import-layout*
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the WordPress admin interface.
- Enable WordPress security plugins that monitor for unauthorized option changes.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for uListing version. If version is 1.6.6 or lower, you are vulnerable.Check Version:
wp plugin get ulisting --field=versionVerify Fix Applied:
After updating, confirm uListing version is 1.6.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-json/ulisting/v1/import-layout from unauthenticated users
- Unexpected WordPress option changes in database logs
Network Indicators:
- HTTP POST requests to import-layout endpoint without authentication headers
SIEM Query:
source="web_server" AND (uri_path="/wp-json/ulisting/v1/import-layout" OR user_agent="*ulisting*") AND http_method="POST"🔗 References
- https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ff5755dc-2262-47f6-ac3a-6bca9529d088?source=cve
- https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ff5755dc-2262-47f6-ac3a-6bca9529d088?source=cve
