CVE-2021-4345: 
WordPress vulnerability analysis and mitigation

The uListing plugin for WordPress (versions up to 1.6.6) contained a critical vulnerability (CVE-2021-4345) related to authorization bypass. The vulnerability was discovered in the UlistingUserRole::saveroleapi method, which lacked proper capability and nonce checks. This security issue was publicly disclosed on January 28, 2021 (WPScan).

The vulnerability stems from missing authorization checks in the /1/api/ulisting-user/role/save REST route. The CVSS v3.1 score is 6.5 (Medium) according to Wordfence's assessment, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The issue is classified under CWE-862 (Missing Authorization) (NVD).

The vulnerability allows unauthenticated attackers to perform unauthorized administrative actions, specifically the ability to remove and add roles, as well as add capabilities to the blog. This presents a significant security risk as it could lead to privilege escalation and unauthorized access to administrative functions (WPScan).

The vulnerability was fixed in uListing version 1.7. Users are strongly advised to update to this version or later to protect against potential exploitation. No alternative workarounds have been publicly documented (WPScan).