{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1657", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-24T20:05:09.999Z", "datePublished": "2025-03-15T02:22:41.764Z", "dateUpdated": "2026-04-08T16:35:28.754Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:28.754Z"}, "affected": [{"vendor": "stylemix", "product": "Directory Listings WordPress plugin \u2013 uListing", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Directory Listings WordPress plugin \u2013 uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update post meta data and inject PHP Objects that may be unserialized. A capability check was added in 2.1.8, but the unserialize is still present."}], "title": "Directory Listings WordPress plugin \u2013 uListing <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update and PHP Object Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e70184f-94b6-4742-b99b-6eec9d28f17c?source=cve"}, {"url": "https://wordpress.org/plugins/ulisting/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3261184/ulisting/trunk/includes/classes/StmListing.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Tan Phat"}], "timeline": [{"time": "2025-03-14T14:22:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-17T21:26:04.395069Z", "id": "CVE-2025-1657", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-17T21:28:49.471Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1657", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-17T21:26:04.395069Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-17T21:26:05.613Z"}}], "cna": {"title": "Directory Listings WordPress plugin \u2013 uListing <= 2.1.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update and PHP Object Injection", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Tan Phat"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "stylemix", "product": "Directory Listings WordPress plugin \u2013 uListing", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.1.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-14T14:22:04.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e70184f-94b6-4742-b99b-6eec9d28f17c?source=cve"}, {"url": "https://wordpress.org/plugins/ulisting/"}], "descriptions": [{"lang": "en", "value": "The Directory Listings WordPress plugin \u2013 uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to update post meta data and inject PHP Objects that may be unserialized."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-15T02:22:41.764Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1657", "state": "PUBLISHED", "dateUpdated": "2025-03-17T21:28:49.471Z", "dateReserved": "2025-02-24T20:05:09.999Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-15T02:22:41.764Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stylemixthemes:ulisting:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "FD860D19-4C83-4043-8152-782413B7C1B0", "versionEndIncluding": "2.1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Directory Listings WordPress plugin \u2013 uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update post meta data and inject PHP Objects that may be unserialized. A capability check was added in 2.1.8, but the unserialize is still present."}, {"lang": "es", "value": "El complemento Directory Listings WordPress plugin \u2013 uListing de WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos y a la inyecci\u00f3n de objetos PHP debido a la falta de una comprobaci\u00f3n de capacidad en la acci\u00f3n AJAX stm_listing_ajax en todas las versiones hasta la 2.1.7 incluida. Esto permite a atacantes autenticados, con acceso de suscriptor o superior, actualizar los metadatos de las entradas e inyectar objetos PHP que podr\u00edan no estar serializados."}], "id": "CVE-2025-1657", "lastModified": "2026-04-08T17:20:34.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-15T03:15:34.600", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3261184/ulisting/trunk/includes/classes/StmListing.php"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/ulisting/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e70184f-94b6-4742-b99b-6eec9d28f17c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T03:29:40.972816+00:00", "value": {"mitigation_remediation": ["Upgrade the uListing plugin to the latest stable release that removes the unsafe unserialize call and adds a proper capability check to stm_listing_ajax.", "If an upgrade cannot be performed immediately, modify the plugin\u2019s stm_listing_ajax handler to enforce an administrator\u2011only capability or eliminate the use of unserialize on incoming data, ensuring all input is validated before processing.", "After applying the patch or workaround, audit the post meta tables for unauthorized changes and monitor the stm_listing_ajax endpoint for anomalous activity."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the uListing Directory Listings plugin from stylemix and are running any version through 2.2.0 are directly affected. Users experiencing subscriber or higher roles on those sites could exploit the flaw without needing elevated permissions.", "description_and_impact": "The uListing WordPress plugin has a missing capability check on the stm_listing_ajax AJAX action in all releases up to and including version 2.2.0. This flaw allows any authenticated user with subscriber-level access or higher to call the action without restriction, update any post meta values, and inject PHP Objects that are unserialized. The absence of authorization contributes to CWE\u2011862, leading to unauthorized data modification and, through the leftover unserialize call, potential remote code execution if an attacker can craft a malicious serialized payload.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests that widespread exploitation is currently unlikely. The vulnerability is not in the CISA KEV catalog. The likely attack vector requires an authenticated attacker who can send a crafted request to the AJAX endpoint, allowing them to tamper with post meta data or inject a PHP object for potential code execution."}}}}, "created": "2026-04-28T03:30:19.834429+00:00", "updated": "2026-04-28T03:30:19.834439+00:00", "vendors": []}