Lucene search

[email protected]NVD:CVE-2021-4346

HistoryJun 07, 2023 - 2:15 a.m.

CVE-2021-4346

2023-06-0702:15:13

CWE-862

[email protected]

web.nvd.nist.gov

ulisting

wordpress

vulnerability

unauthenticated

account changes

admin account

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

9.5

Confidence

High

EPSS

0.001

Percentile

48.9%

JSON

The uListing plugin for WordPress is vulnerable to Unauthenticated Arbitrary Account Changes in versions up to, and including, 1.6.6. This is due to missing login checks on the stm_listing_profile_edit AJAX action. This makes it possible for unauthenticated attackers to edit any account on the blog, such as changing the admin account’s email address.

Affected configurations

Nvd

Node

stylemixthemesulistingRange≤1.6.6wordpress

VendorProductVersionCPE
stylemixthemesulisting*cpe:2.3:a:stylemixthemes:ulisting:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
stylemixthemes	ulisting	*	cpe:2.3:a:stylemixthemes:ulisting::::::wordpress::*

References

blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities/

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2456786%40ulisting&new=2456786%40ulisting&sfp_email=&sfph_mail=

www.wordfence.com/threat-intel/vulnerabilities/id/41800ea9-1ace-42fc-9e7f-d760a126342b?source=cve

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

9.5

Confidence

High

EPSS

0.001

Percentile

48.9%

JSON

Related for NVD:CVE-2021-4346

prion1 cve1 cvelist1