Security readout for executives and security teams
Plain-English summary
CVE-2021-36875 is an authenticated reflected XSS issue in the WordPress uListing plugin through 2.0.5. It matters if the plugin is installed on public WordPress sites, but the source data shows medium severity and does not show active exploitation.
Executive priority
Treat this as a moderate maintenance priority. Address exposed WordPress sites using uListing, but prioritize higher-risk vulnerabilities unless this plugin is business-critical or widely deployed.
Technical view
The issue is CWE-79 in Stylemix Directory Listings WordPress plugin – uListing through version 2.0.5. CVSS 3.1 is 5.9 with network attack vector, low complexity, high privileges required, user interaction required, and changed scope.
Likely exposure
Exposure is limited to WordPress sites running uListing version 2.0.5 or earlier. Sites without this plugin, or running versions outside the affected range, are not indicated as affected by the supplied sources.
Exploitation context
The bundle marks KEV as false, and no cited source states exploitation in the wild. The CVSS vector indicates an attacker needs authenticated high privileges and user interaction, reducing broad internet-scale risk.
Researcher notes
Evidence is narrow: the sources identify authenticated reflected XSS and the affected range, but do not provide exploit details, observed exploitation, or a named fixed version in the supplied bundle.
Mitigation direction
- Inventory WordPress sites for the uListing plugin and installed version.
- Upgrade or remove uListing according to current vendor or WordPress plugin guidance.
- Restrict administrative access to trusted users only.
- Monitor vendor advisories for the fixed or unaffected version details.
Validation and detection
- Confirm whether uListing is installed on each WordPress site.
- Record the installed version and compare it to the affected range through 2.0.5.
- Review privileged WordPress accounts for unnecessary access.
- Check security monitoring for suspicious authenticated activity involving uListing pages.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2021-36875 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 5.9 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L1.73.7Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
5.9MediumVector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Source materials
- CVE List V5 sourceCVE List V5
- https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-authenticated-reflected-cross-site-scripting-xss-vulnerability?_s_id=cveCVE reference · vdb-entry
- https://wordpress.org/plugins/ulisting/#developersCVE reference · x_refsource_CONFIRM, x_transferred
- https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-authenticated-reflected-cross-site-scripting-xss-vulnerabilityCVE reference · x_refsource_MISC, x_transferred
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
