CVE-2021-36880: 
WordPress vulnerability analysis and mitigation

An Unauthenticated SQL Injection (SQLi) vulnerability was discovered in the WordPress uListing plugin versions 2.0.3 and below. The vulnerability was identified with CVE-2021-36880 and was publicly disclosed on July 26, 2021. The vulnerability affects the 'custom' parameter in the plugin (Patchstack, NVD).

The SQL Injection vulnerability allows for multiple attack vectors including Error-based, Boolean-based Blind, and Time-based Blind SQL injection techniques. The vulnerability received a CVSS v3.1 base score of 9.8 (CRITICAL) from NVD and 8.6 (HIGH) from Patchstack. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD, WPScan).

The vulnerability allows unauthenticated attackers to directly interact with the website's database. This could potentially lead to unauthorized access to sensitive information, including user data, and could allow attackers to manipulate or extract information from the database (Patchstack).

The vulnerability was patched in version 2.0.4 of the uListing plugin. Users are strongly advised to update to this version or later to resolve the vulnerability. Virtual patching solutions are available through security providers to mitigate the vulnerability until updates can be applied (Patchstack).