CVE-2021-4339

Name of the Vulnerable Software and Affected Versions uListing plugin for WordPress versions up to, and including, 1.6.6

Description The issue is related to authorization bypass due to a missing capability check in the "ulisting/includes/route.php" file. This affects the /1/api/ulisting-user/search REST-API route, allowing unauthenticated attackers to retrieve the list of all users and their email addresses in the database.

Recommendations For versions up to, and including, 1.6.6, update to a version that includes a fix for the missing capability check in the "ulisting/includes/route.php" file to prevent unauthorized access to user data. As a temporary workaround, consider restricting access to the /1/api/ulisting-user/search API endpoint until a patch is available.