Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Stylemix uListing ulisting allows Path Traversal.This issue affects uListing: from n/a through <= 2.2.0.
Published: 2026-03-05
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Download
Action: Immediate Patch
AI Analysis

Impact

The uListing plugin for WordPress contains a Path Traversal flaw that allows an attacker to download any file from the server by manipulating the file path. This vulnerability can expose sensitive configuration files or user data, leading to confidentiality loss. The weakness is classified as CWE-22, indicating improper limitation of a pathname to a restricted directory.

Affected Systems

WordPress sites running Stylemix uListing version 2.2.0 or earlier are affected. No specific version range beyond this is listed, so all releases through 2.2.0 are considered vulnerable.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate impact, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote via the web interface, as the flaw can be triggered by crafting a URL containing path traversal sequences.

Generated by OpenCVE AI on April 15, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade uListing to a version newer than 2.2.0 as soon as a patch becomes available
  • If an upgrade is not immediately possible, enforce a web server configuration that denies access to files outside the WordPress content directory, such as using .htaccess rules or server block restrictions
  • Deploy a Web Application Firewall to filter and block requests that contain path traversal patterns, and monitor logs for suspicious file access attempts

Generated by OpenCVE AI on April 15, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Stylemixthemes
Stylemixthemes ulisting
Wordpress
Wordpress wordpress
Vendors & Products Stylemixthemes
Stylemixthemes ulisting
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Stylemix uListing ulisting allows Path Traversal.This issue affects uListing: from n/a through <= 2.2.0.
Title WordPress uListing plugin <= 2.2.0 - Arbitrary File Download vulnerability
Weaknesses CWE-22
References

Subscriptions

Stylemixthemes Ulisting
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:38.359Z

Reserved: 2026-02-25T12:13:47.059Z

Link: CVE-2026-28078

cve-icon Vulnrichment

Updated: 2026-03-05T20:11:12.977Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:41.843

Modified: 2026-03-05T21:16:21.523

Link: CVE-2026-28078

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:00:10Z

Weaknesses