CVE-2021-36879

🗓️ 27 Sep 2021 15:32:14Reported by PatchstackType

cve🔗 web.nvd.nist.gov👁 51 Views🌐 WEB

Unauthenticated Privilege Escalation in WordPress uListing plugin (versions <= 2.0.5

Reporter	Title	Published	Views	Family All 12
CNNVD	WordPress 插件权限许可和访问控制问题漏洞	27 Sep 202100:00	–	cnnvd
CNVD	WordPress plugin uListing permission elevation vulnerability	28 Sep 202100:00	–	cnvd
Cvelist	CVE-2021-36879 WordPress uListing plugin <= 2.0.5 - Unauthenticated Privilege Escalation vulnerability	27 Sep 202115:32	–	cvelist
EUVD	EUVD-2021-23455	7 Oct 202500:30	–	euvd
NVD	CVE-2021-36879	27 Sep 202116:15	–	nvd
OSV	CVE-2021-36879	27 Sep 202116:15	–	osv
Patchstack	WordPress uListing plugin <= 2.0.5 - Unauthenticated Privilege Escalation vulnerability	27 Jul 202100:00	–	patchstack
Prion	Privilege escalation	27 Sep 202116:15	–	prion
Positive Technologies	PT-2021-21392 · WordPress · Ulisting	27 Sep 202100:00	–	ptsecurity
Vulnrichment	CVE-2021-36879 WordPress uListing plugin <= 2.0.5 - Unauthenticated Privilege Escalation vulnerability	27 Sep 202115:32	–	vulnrichment

NVD

Vulners

Node

stylemixthemes ulistingRange≤2.0.5wordpress

[
  {
    "product": "uListing (WordPress plugin)",
    "vendor": "StylemixThemes",
    "versions": [
      {
        "lessThanOrEqual": "2.0.5",
        "status": "affected",
        "version": "<= 2.0.5",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
wordpress	www.wordpress.org/plugins/ulisting/
patchstack	www.patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-unauthenticated-privilege-escalation-vulnerability

Parameter	Position	Path	Description	CWE
login	request body	/wp-admin/admin-ajax.php?action=stm_listing_register	Unauthenticated privilege escalation via user registration in uListing plugin (WordPress) allows creation of an administrator account when registration is permitted.	CWE-264
first_name	request body	/wp-admin/admin-ajax.php?action=stm_listing_register	Unauthenticated privilege escalation via user registration in uListing plugin (WordPress) allows creation of an administrator account when registration is permitted.	CWE-264
last_name	request body	/wp-admin/admin-ajax.php?action=stm_listing_register	Unauthenticated privilege escalation via user registration in uListing plugin (WordPress) allows creation of an administrator account when registration is permitted.	CWE-264
email	request body	/wp-admin/admin-ajax.php?action=stm_listing_register	Unauthenticated privilege escalation via user registration in uListing plugin (WordPress) allows creation of an administrator account when registration is permitted.	CWE-264
role	request body	/wp-admin/admin-ajax.php?action=stm_listing_register	Unauthenticated privilege escalation via user registration in uListing plugin (WordPress) allows creation of an administrator account when registration is permitted.	CWE-264
password	request body	/wp-admin/admin-ajax.php?action=stm_listing_register	Unauthenticated privilege escalation via user registration in uListing plugin (WordPress) allows creation of an administrator account when registration is permitted.	CWE-264
password_repeat	request body	/wp-admin/admin-ajax.php?action=stm_listing_register	Unauthenticated privilege escalation via user registration in uListing plugin (WordPress) allows creation of an administrator account when registration is permitted.	CWE-264
nonce	request body	/wp-admin/admin-ajax.php?action=stm_listing_register	Unauthenticated privilege escalation via user registration in uListing plugin (WordPress) allows creation of an administrator account when registration is permitted.	CWE-264
custom_fields	request body	/wp-admin/admin-ajax.php?action=stm_listing_register	Unauthenticated privilege escalation via user registration in uListing plugin (WordPress) allows creation of an administrator account when registration is permitted.	CWE-264

17 Jun 2026 03:59Current

9.5High risk

Vulners AI Score9.5

CVSS 27.5

CVSS 3.19.8

EPSS0.02109

SSVC

CWE-264