CVE-2021-36875: 
WordPress vulnerability analysis and mitigation

An Authenticated Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress uListing plugin versions 2.0.5 and below. The vulnerability was identified and disclosed on July 27, 2021, affecting multiple parameters including &filter[id], &filter[user], &filter[expireddate], &filter[createddate], and &filter[updated_date] (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue stems from improper input validation where WPNonce is present in the original requests but fails to implement proper security checks (NVD).

The vulnerability could allow authenticated attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected pages (Patchstack).

The vulnerability was patched in version 2.0.6 of the uListing plugin. Users are advised to update to version 2.0.6 or later to remove the vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).