Description
The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update post meta data and inject PHP Objects that may be unserialized. A capability check was added in 2.1.8, but the unserialize is still present.
Published: 2025-03-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The uListing WordPress plugin has a missing capability check on the stm_listing_ajax AJAX action in all releases up to and including version 2.2.0. This flaw allows any authenticated user with subscriber-level access or higher to call the action without restriction, update any post meta values, and inject PHP Objects that are unserialized. The absence of authorization contributes to CWE‑862, leading to unauthorized data modification and, through the leftover unserialize call, potential remote code execution if an attacker can craft a malicious serialized payload.

Affected Systems

WordPress sites that have installed the uListing Directory Listings plugin from stylemix and are running any version through 2.2.0 are directly affected. Users experiencing subscriber or higher roles on those sites could exploit the flaw without needing elevated permissions.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests that widespread exploitation is currently unlikely. The vulnerability is not in the CISA KEV catalog. The likely attack vector requires an authenticated attacker who can send a crafted request to the AJAX endpoint, allowing them to tamper with post meta data or inject a PHP object for potential code execution.

Generated by OpenCVE AI on April 28, 2026 at 03:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the uListing plugin to the latest stable release that removes the unsafe unserialize call and adds a proper capability check to stm_listing_ajax.
  • If an upgrade cannot be performed immediately, modify the plugin’s stm_listing_ajax handler to enforce an administrator‑only capability or eliminate the use of unserialize on incoming data, ensuring all input is validated before processing.
  • After applying the patch or workaround, audit the post meta tables for unauthorized changes and monitor the stm_listing_ajax endpoint for anomalous activity.

Generated by OpenCVE AI on April 28, 2026 at 03:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6616 The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to update post meta data and inject PHP Objects that may be unserialized.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to update post meta data and inject PHP Objects that may be unserialized. The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update post meta data and inject PHP Objects that may be unserialized. A capability check was added in 2.1.8, but the unserialize is still present.
Title Directory Listings WordPress plugin – uListing <= 2.1.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update and PHP Object Injection Directory Listings WordPress plugin – uListing <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update and PHP Object Injection
References

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00054}

 epss

{'score': 0.00074}

Fri, 28 Mar 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Stylemixthemes
Stylemixthemes ulisting
CPEs cpe:2.3:a:stylemixthemes:ulisting:*:*:*:*:*:wordpress:*:*
Vendors & Products Stylemixthemes
Stylemixthemes ulisting

Mon, 17 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 15 Mar 2025 02:45:00 +0000

Type Values Removed Values Added
Description The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to update post meta data and inject PHP Objects that may be unserialized.
Title Directory Listings WordPress plugin – uListing <= 2.1.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update and PHP Object Injection
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Stylemixthemes Ulisting
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:28.754Z

Reserved: 2025-02-24T20:05:09.999Z

Link: CVE-2025-1657

cve-icon Vulnrichment

Updated: 2025-03-17T21:26:05.613Z

cve-icon NVD

Status : Modified

Published: 2025-03-15T03:15:34.600

Modified: 2026-04-08T17:20:34.583

Link: CVE-2025-1657

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T03:30:19Z

Weaknesses