Which Directory Listings WordPress plugin – uListing CVEs are tracked?

Directory Listings WordPress plugin – uListing tracked CVEs include CVE-2021-4340, CVE-2021-36879, CVE-2021-36880, CVE-2021-4370, and CVE-2021-4381.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 26 known issues Latest disclosed Feb 26, 2026

Directory Listings WordPress plugin – uListing Vulnerabilities

Q: How many Directory Listings WordPress plugin – uListing vulnerabilities have patch guidance?

26 of 26 tracked Directory Listings WordPress plugin – uListing records include a published patch path.

Review known vulnerability records for the WordPress plugin Directory Listings WordPress plugin – uListing (`ulisting`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-28078, CVE-2026-28138 and CVE-2025-32662, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Apr 15, 2026

Priority CVE Quick Links

Fast paths into Directory Listings WordPress plugin – uListing CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2021-4340 Critical 1.7

CVE-2021-4340 Directory Listings WordPress plugin – uListing SQL Injection

uListing <= 1.6.6 - Unauthenticated SQL Injection

CVE-2021-36879 Critical 2.0.6

CVE-2021-36879 Directory Listings WordPress plugin – uListing Privilege Escalation

Listing, Classified Ads & Business Directory – uListing <= 2.0.5 - Privilege Escalation

CVE-2021-36880 Critical 2.0.4

CVE-2021-36880 Directory Listings WordPress plugin – uListing SQL Injection

Listing, Classified Ads & Business Directory – uListing <= 2.0.3 - Unauthenticated SQL Injection

CVE-2021-4370 Critical 1.7

CVE-2021-4370 Directory Listings WordPress plugin – uListing Authorization Bypass

uListing <= 1.6.6 - Missing Authorization

CVE-2021-4381 Critical 1.7

CVE-2021-4381 Directory Listings WordPress plugin – uListing Authorization Bypass

uListing <= 1.6.6 - Unauthenticated Options Changes via wp_route

CVE-2021-4346 Critical 1.7

CVE-2021-4346 Directory Listings WordPress plugin – uListing Vulnerability

uListing <= 1.6.6 - Unauthenticated Arbitrary Account Changes

CVE-2021-4343 Critical 1.7

CVE-2021-4343 Directory Listings WordPress plugin – uListing Vulnerability

uListing <= 1.6.6 - Unauthenticated Arbitrary Account Creation

CVE-2021-4341 Critical 1.7

CVE-2021-4341 Directory Listings WordPress plugin – uListing Authorization Bypass

uListing <= 1.6.6 - Unauthenticated Wordpress Options Changes via AJAX

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Directory Listings WordPress plugin – uListing so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

26 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

9 critical and 7 high severity findings.

Recent CVEs

CVE-2026-28078, CVE-2026-28138 and CVE-2025-32662

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-28078 Medium No patch listed

CVE-2026-28078: Directory Listings WordPress plugin – uListing <= 2.2.0 - Authenticated (Editor+) Arbitrary File Download

The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.2.0. This makes it possible for authentic...

Published

Feb 26, 2026

Patch Status

Not published

Open CVE-2026-28078 Report

CVE-2026-28138 Medium No patch listed

CVE-2026-28138: uListing <= 2.2.0 - Authenticated (Administrator+) PHP Object Injection

The uListing plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.0 via deserialization of untrusted input. This makes it possible for authenticat...

Published

Apr 22, 2025

Patch Status

Not published

Open CVE-2026-28138 Report

CVE-2025-32662 High No patch listed

CVE-2025-32662: uListing <= 2.2.0 - Authenticated (Subscriber+) PHP Object Injection

The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.0 via deserialization of untrusted inp...

Published

Apr 15, 2025

Patch Status

Not published

Open CVE-2025-32662 Report

Known Vulnerabilities

Reports for Directory Listings WordPress plugin – uListing

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: No CVE-2026-28078

CVE-2026-28078: Directory Listings WordPress plugin – uListing <= 2.2.0 - Authenticated (Editor+) Arbitrary File Download

The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary file...

Published

Feb 26, 2026

Patched Release

Not published

Affected Versions

Versions up to 2.2.0

Next Step

Open the full report for remediation notes and references.

Open CVE-2026-28078 Report Open CVE Reference

Plugin Medium Patched: No CVE-2026-28138

CVE-2026-28138: uListing <= 2.2.0 - Authenticated (Administrator+) PHP Object Injection

The uListing plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known...

Published

Apr 22, 2025

Patched Release

Not published

Affected Versions

Versions up to 2.2.0

Next Step

Open the full report for remediation notes and references.

Open CVE-2026-28138 Report Open CVE Reference

Plugin High Patched: No CVE-2025-32662

CVE-2025-32662: uListing <= 2.2.0 - Authenticated (Subscriber+) PHP Object Injection

The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Subscriber-level access and a...

Published

Apr 15, 2025

Patched Release

Not published

Affected Versions

Versions up to 2.2.0

Next Step

Open the full report for remediation notes and references.

Open CVE-2025-32662 Report Open CVE Reference

Plugin Medium Patched: No CVE-2025-32122

CVE-2025-32122: uListing <= 2.1.9 - Authenticated (Administrator+) SQL Injection

The uListing plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.1.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, w...

Published

Apr 04, 2025

Patched Release

Not published

Affected Versions

Versions up to 2.1.9

Next Step

Open the full report for remediation notes and references.

Open CVE-2025-32122 Report Open CVE Reference

Plugin High Patched: No CVE-2025-1653

CVE-2025-1653: Directory Listings WordPress plugin – uListing <= 2.2.0 - Authenticated (Subscriber+) Privilege Escalation

The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.0. This is due to the stm_listing_profile_edit AJAX action not having enough restriction on the user meta that can be updated. T...

Published

Mar 14, 2025

Patched Release

Not published

Affected Versions

Versions up to 2.2.0

Next Step

Open the full report for remediation notes and references.

Open CVE-2025-1653 Report Open CVE Reference

Plugin High Patched: No CVE-2025-1657

CVE-2025-1657: Directory Listings WordPress plugin – uListing <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update and PHP Object Injection

The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up to, and including, 2.2.0. This makes it pos...

Published

Mar 14, 2025

Patched Release

Not published

Affected Versions

Versions up to 2.2.0

Next Step

Open the full report for remediation notes and references.

Open CVE-2025-1657 Report Open CVE Reference

Plugin High Patched: Yes CVE-2025-25150

CVE-2025-25150: uListing <= 2.1.6 - Unauthenticated SQL Injection

The uListing plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers...

Published

Feb 03, 2025

Patched Release

2.1.7

Affected Versions

Versions up to 2.1.6

Next Step

Update to 2.1.7 or newer if supported.

Open CVE-2025-25150 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-25151

CVE-2025-25151: uListing <= 2.1.6 - Authenticated (Contributor+) SQL Injection

Published

Feb 03, 2025

Patched Release

2.1.7

Affected Versions

Versions up to 2.1.6

Next Step

Update to 2.1.7 or newer if supported.

Open CVE-2025-25151 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-47344

CVE-2024-47344: uListing <= 2.1.5 - Unauthenticated Information Exposure

The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.1.5 via the /pricing-plan/payment endpoint. This makes it possible for unauthenticated attackers to render the pricing plan paymen...

Published

Sep 27, 2024

Patched Release

2.1.6

Affected Versions

Versions up to 2.1.5

Next Step

Update to 2.1.6 or newer if supported.

Open CVE-2024-47344 Report Open CVE Reference

Plugin Critical Patched: Yes CVE-2021-4340

CVE-2021-4340: uListing <= 1.6.6 - Unauthenticated SQL Injection

The uListing plugin for WordPress is vulnerable to generic SQL Injection via the ‘listing_id’ parameter in versions up to, and including, 1.6.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

Published

Oct 28, 2021

Patched Release

1.7

Affected Versions

Versions before 1.7

Next Step

Update to 1.7 or newer if supported.

Open CVE-2021-4340 Report Open CVE Reference

Plugin High Patched: Yes

Listing, Classified Ads & Business Directory – uListing <= 2.0.8 - Cross-Site Request Forgery

The Listing, Classified Ads & Business Directory – uListing plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.8. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthentica...

Published

Sep 06, 2021

Patched Release

2.0.9

Affected Versions

Versions up to 2.0.8

Next Step

Update to 2.0.9 or newer if supported.

Open Full Report

Plugin Critical Patched: Yes CVE-2021-36879

CVE-2021-36879: Listing, Classified Ads & Business Directory – uListing <= 2.0.5 - Privilege Escalation

Unauthenticated Privilege Escalation vulnerability in WordPress uListing plugin (versions

Published

Jul 27, 2021

Patched Release

2.0.6

Affected Versions

Versions up to 2.0.5

Next Step

Update to 2.0.6 or newer if supported.

Open CVE-2021-36879 Report Open CVE Reference