CVE-2025-1657
📋 TL;DR
The uListing WordPress plugin has a vulnerability that allows authenticated attackers with subscriber-level access or higher to modify post metadata and inject PHP objects through AJAX requests. This can lead to arbitrary code execution or data manipulation on affected WordPress sites. All WordPress installations using uListing plugin versions up to 2.1.7 are vulnerable.
💻 Affected Systems
- uListing - Directory Listings WordPress plugin
📦 What is this software?
Ulisting by Stylemixthemes
⚠️ Risk & Real-World Impact
Worst Case
Full site compromise through remote code execution, allowing attackers to install backdoors, steal data, deface websites, or pivot to other systems.
Likely Case
Unauthorized modification of WordPress content, injection of malicious scripts, or privilege escalation leading to administrative access.
If Mitigated
Limited impact if proper access controls and monitoring are in place, potentially only affecting non-critical post metadata.
🎯 Exploit Status
Exploitation requires authenticated access but only subscriber-level privileges. PHP object injection requires understanding of WordPress serialization mechanisms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.1.8 or later
Vendor Advisory: https://wordpress.org/plugins/ulisting/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'uListing - Directory Listings' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable stm_listing_ajax AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_stm_listing_ajax', 'stm_listing_ajax'); remove_action('wp_ajax_nopriv_stm_listing_ajax', 'stm_listing_ajax');
Capability check workaround
allAdd capability check to prevent unauthorized access
Add to theme's functions.php: add_filter('wp_ajax_stm_listing_ajax', function() { if (!current_user_can('edit_posts')) { wp_die('Unauthorized'); } });
🧯 If You Can't Patch
- Temporarily disable the uListing plugin if not essential for site functionality
- Implement strict access controls and monitor for suspicious AJAX requests to stm_listing_ajax endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → uListing version. If version is 2.1.7 or lower, system is vulnerable.Check Version:
wp plugin list --name=ulisting --field=version (if WP-CLI installed) or check WordPress admin plugins pageVerify Fix Applied:
Verify uListing plugin version is 2.1.8 or higher in WordPress admin panel. Test AJAX functionality to ensure it still works with proper authorization.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=stm_listing_ajax from non-admin users
- Unusual post_meta modifications in WordPress database logs
- PHP unserialization errors in error logs
Network Indicators:
- HTTP POST requests to admin-ajax.php with stm_listing_ajax parameter from unexpected user roles
- Unusual serialized data in POST payloads
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "stm_listing_ajax" AND (user_role="subscriber" OR user_role="contributor" OR user_role="author")