Description
Deserialization of Untrusted Data vulnerability in Stylemix uListing ulisting allows Object Injection.This issue affects uListing: from n/a through <= 2.2.0.
Published: 2026-02-26
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Object Injection potentially leading to arbitrary code execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a PHP Object Injection caused by deserialization of untrusted data in the Stylemix uListing plugin. It can allow an attacker to supply a crafted serialized payload that results in malicious objects being instantiated, which may lead to arbitrary code execution on the hosting WordPress site. This weakness is classified as CWE‑502, Deserialization of Untrusted Data.

Affected Systems

All installations of Stylemix uListing version 2.2.0 or earlier are affected. The plugin is used within WordPress sites, so any site running a vulnerable version should verify the plugin version and update or remove it as needed.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity if exploited, while the EPSS score of less than 1% suggests very few observed exploits to date, yet the risk is not negligible. The attack vector is most likely external, via a web request that supplies untrusted serialized data to the plugin. The vulnerability has not been reported in the CISA KEV catalog, meaning no known publicly available exploitation packages are tracked.

Generated by OpenCVE AI on April 15, 2026 at 20:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the uListing plugin to the latest version, which includes the fix for the deserialization flaw.
  • If the plugin is not essential, remove or permanently disable it from the WordPress installation.
  • Apply restrictive input validation or sanitize all data passed to the plugin, ensuring that only trusted payloads are processed.
  • Consider deploying a web application firewall rule that detects and blocks suspicious serialized payloads targeting the plugin’s endpoints.

Generated by OpenCVE AI on April 15, 2026 at 20:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Stylemixthemes
Stylemixthemes ulisting
Wordpress
Wordpress wordpress
Vendors & Products Stylemixthemes
Stylemixthemes ulisting
Wordpress
Wordpress wordpress

Thu, 26 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Stylemix uListing ulisting allows Object Injection.This issue affects uListing: from n/a through <= 2.2.0.
Title WordPress uListing plugin <= 2.2.0 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Stylemixthemes Ulisting
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:15:09.459Z

Reserved: 2026-02-25T12:14:18.579Z

Link: CVE-2026-28138

cve-icon Vulnrichment

Updated: 2026-02-26T14:34:45.472Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T09:16:15.510

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-28138

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:15:13Z

Weaknesses