CVE-2021-4343: 
WordPress vulnerability analysis and mitigation

The vulnerability identified as CVE-2021-4343 affects the uListing plugin for WordPress in versions up to and including 1.6.6. This critical security flaw allows for Unauthenticated Account Creation due to the stmlistingregister AJAX action function being accessible without proper authorization controls. The vulnerability was publicly disclosed on January 28, 2021, and received a CVSS v3.1 base score of 9.8 (Critical) (WPScan, NVD).

The vulnerability stems from missing authorization checks in the stmlistingregister() AJAX action function. This function was accessible to both authenticated and unauthenticated users and lacked proper capability and CSRF checks. The severity is rated as Critical with a CVSS v3.1 Base Score of 9.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified under CWE-862 (Missing Authorization) (NVD, WPScan).

The vulnerability allows unauthenticated attackers to create arbitrary accounts on affected WordPress installations, including accounts with administrator privileges. This could lead to complete site compromise as administrator accounts have full control over the WordPress installation (NVD).

The vulnerability has been fixed in uListing version 1.7. Users are strongly advised to update their uListing plugin to version 1.7 or later to mitigate this security risk (WPScan).