CVE-2021-36880 - Vulnerability Details - OpenCVE

Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Stylemixthemes	Ulisting

Configuration 1 [-]

cpe:2.3:a:stylemixthemes:ulisting:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability
https://wordpress.org/plugins/ulisting/#developers

History

Fri, 28 Mar 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2021-09-27T15:32:46.608Z

Updated: 2025-03-28T16:50:55.350Z

Reserved: 2021-07-19T00:00:00.000Z

Link: CVE-2021-36880

Vulnrichment

Updated: 2024-08-04T01:01:59.679Z

NVD

Status : Modified

Published: 2021-09-27T16:15:09.700

Modified: 2024-11-21T06:14:14.760

Link: CVE-2021-36880

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "uListing (WordPress plugin)", "vendor": "StylemixThemes", "versions": [{"lessThanOrEqual": "2.0.3", "status": "affected", "version": "<= 2.0.3", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Original researcher - m0ze (Patchstack Red Team)"}], "datePublic": "2021-07-26T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-27T15:32:46.000Z", "orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://wordpress.org/plugins/ulisting/#developers"}, {"tags": ["x_refsource_MISC"], "url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability"}], "solutions": [{"lang": "en", "value": "Update to 2.0.4 or higher version."}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress uListing plugin <= 2.0.3 - Unauthenticated SQL Injection (SQLi) vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "audit@patchstack.com", "DATE_PUBLIC": "2021-07-26T07:34:00.000Z", "ID": "CVE-2021-36880", "STATE": "PUBLIC", "TITLE": "WordPress uListing plugin <= 2.0.3 - Unauthenticated SQL Injection (SQLi) vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "uListing (WordPress plugin)", "version": {"version_data": [{"version_affected": "<=", "version_name": "<= 2.0.3", "version_value": "2.0.3"}]}}]}, "vendor_name": "StylemixThemes"}]}}, "credit": [{"lang": "eng", "value": "Original researcher - m0ze (Patchstack Red Team)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://wordpress.org/plugins/ulisting/#developers", "refsource": "CONFIRM", "url": "https://wordpress.org/plugins/ulisting/#developers"}, {"name": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability", "refsource": "MISC", "url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability"}]}, "solution": [{"lang": "en", "value": "Update to 2.0.4 or higher version."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.679Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wordpress.org/plugins/ulisting/#developers"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-28T16:50:50.787554Z", "id": "CVE-2021-36880", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-28T16:50:55.350Z"}}]}, "cveMetadata": {"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "assignerShortName": "Patchstack", "cveId": "CVE-2021-36880", "datePublished": "2021-09-27T15:32:46.608Z", "dateReserved": "2021-07-19T00:00:00.000Z", "dateUpdated": "2025-03-28T16:50:55.350Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://wordpress.org/plugins/ulisting/#developers", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.679Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-36880", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-28T16:50:50.787554Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-28T16:50:44.366Z"}}], "cna": {"title": "WordPress uListing plugin <= 2.0.3 - Unauthenticated SQL Injection (SQLi) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Original researcher - m0ze (Patchstack Red Team)"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "StylemixThemes", "product": "uListing (WordPress plugin)", "versions": [{"status": "affected", "version": "<= 2.0.3", "versionType": "custom", "lessThanOrEqual": "2.0.3"}]}], "solutions": [{"lang": "en", "value": "Update to 2.0.4 or higher version."}], "datePublic": "2021-07-26T00:00:00.000Z", "references": [{"url": "https://wordpress.org/plugins/ulisting/#developers", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 SQL Injection"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2021-09-27T15:32:46.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Original researcher - m0ze (Patchstack Red Team)"}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, "source": {"discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "<= 2.0.3", "version_value": "2.0.3", "version_affected": "<="}]}, "product_name": "uListing (WordPress plugin)"}]}, "vendor_name": "StylemixThemes"}]}}, "solution": [{"lang": "en", "value": "Update to 2.0.4 or higher version."}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://wordpress.org/plugins/ulisting/#developers", "name": "https://wordpress.org/plugins/ulisting/#developers", "refsource": "CONFIRM"}, {"url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability", "name": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-36880", "STATE": "PUBLIC", "TITLE": "WordPress uListing plugin <= 2.0.3 - Unauthenticated SQL Injection (SQLi) vulnerability", "ASSIGNER": "audit@patchstack.com", "DATE_PUBLIC": "2021-07-26T07:34:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2021-36880", "state": "PUBLISHED", "dateUpdated": "2025-03-28T16:50:55.350Z", "dateReserved": "2021-07-19T00:00:00.000Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2021-09-27T15:32:46.608Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stylemixthemes:ulisting:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "10B93E62-8D50-41FC-A7A1-3891971E0D8F", "versionEndIncluding": "2.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n SQL no autenticada (SQLi) en el plugin uListing de WordPress (versiones anteriores a 2.0.3 incluy\u00e9ndola), par\u00e1metro vulnerable: custom"}], "id": "CVE-2021-36880", "lastModified": "2024-11-21T06:14:14.760", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-27T16:15:09.700", "references": [{"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability"}, {"source": "audit@patchstack.com", "tags": ["Product", "Third Party Advisory"], "url": "https://wordpress.org/plugins/ulisting/#developers"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Third Party Advisory"], "url": "https://wordpress.org/plugins/ulisting/#developers"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}