CVE-2021-4370: 
WordPress vulnerability analysis and mitigation

The uListing plugin for WordPress (CVE-2021-4370) is a critical vulnerability affecting versions up to and including 1.6.6. The vulnerability was discovered by Jerome Bruandet and disclosed on January 28, 2021. This security issue involves authorization bypass where most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated (NinTechNet Blog).

The vulnerability is characterized by broken access control issues where unauthenticated users can access both WordPress AJAX API and WP_Route API endpoints without proper authorization checks. The vulnerability has received a CVSS v3.1 score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is classified under CWE-862 (Missing Authorization) (NVD, WPScan).

The vulnerability allows unauthenticated attackers to perform multiple critical administrative actions including arbitrary account creation with administrator privileges, modification of any WordPress option in the database, information disclosure through user enumeration, SQL injection, arbitrary post/page deletion, and creation/deletion of roles and capabilities (NinTechNet Blog).

Users are strongly advised to update immediately to version 1.7 or later, which was released on January 19, 2021. The vulnerability was initially reported to the authors on January 11, 2021, and after unsuccessful contact attempts, it was escalated to the WordPress Plugins Team on January 16, leading to the release of the patched version (NinTechNet Blog).