WP-Safety

Directory Listings WordPress plugin – uListing Security & Risk Analysis

wordpress.org/plugins/ulisting

This directory listings WordPress plugin is a fantastic tool for creating a professional business directory listings website on WordPress with no hass …

1K active installs v2.2.0 PHP + WP 4.6+ Updated Apr 15, 2025
classifiedclassified-adslistingsreal-estate
2
F · Critical Risk
CVEs total26
Unpatched6
Last CVEFeb 26, 2026
Plugin page Download
Safety Verdict

Is Directory Listings WordPress plugin – uListing Safe to Use in 2026?

Critical Risk — Avoid

Score 2/100

Directory Listings WordPress plugin – uListing is critically unsafe with 26 known CVEs, 6 still unpatched. Avoid in production.

26 known CVEs 6 unpatched Last CVE: Feb 26, 2026Updated 1yr ago
Risk Assessment

The ulisting plugin v2.2.0 presents a significant security risk due to its extensive vulnerability history and concerning static analysis findings. While the plugin demonstrates some good practices, such as a relatively high percentage of SQL prepared statements and output escaping, these are overshadowed by critical weaknesses. The presence of 25 known CVEs, with 5 currently unpatched and a history of critical and high severity vulnerabilities, indicates a recurring pattern of insecure coding. This suggests a lack of robust security auditing and remediation processes within the plugin's development lifecycle.

The static analysis reveals several red flags. Notably, one AJAX handler lacks authentication checks, creating a direct entry point for potential attackers. The use of the dangerous `unserialize` function, coupled with 5 unsanitized taint flows, raises concerns about deserialization vulnerabilities, which can be exploited for remote code execution. Furthermore, the plugin's attack surface includes multiple shortcodes and a cron event, alongside the unprotected AJAX handler, increasing the potential vectors for exploitation.

In conclusion, despite some positive aspects like nonce and capability checks, the ulisting plugin v2.2.0 has a poor security posture. The sheer volume and severity of past vulnerabilities, combined with newly identified weaknesses like the unprotected AJAX handler and deserialization risks, make this plugin a high-risk component. Users should exercise extreme caution, and prompt patching of unaddressed vulnerabilities is critical.

Key Concerns

  • Multiple unpatched CVEs
  • Unprotected AJAX handler
  • Dangerous function: unserialize
  • Flows with unsanitized paths
  • Bundled library Select2
  • Bundled library TinyMCE
Vulnerabilities
26 published

Directory Listings WordPress plugin – uListing Security Vulnerabilities

CVEs by Year

17 CVEs in 2021
2021
1 CVE in 2024
2024
7 CVEs in 2025 · unpatched
2025
1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Critical
9
High
7
Medium
10

26 total CVEs

CVE-2026-28078medium · 4.9Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory Listings WordPress plugin – uListing <= 2.2.0 - Authenticated (Editor+) Arbitrary File Download

Feb 26, 2026Unpatched
CVE-2026-28138medium · 6.6Deserialization of Untrusted Data

uListing <= 2.2.0 - Authenticated (Administrator+) PHP Object Injection

Apr 22, 2025Unpatched
CVE-2025-32662high · 8.8Deserialization of Untrusted Data

uListing <= 2.2.0 - Authenticated (Subscriber+) PHP Object Injection

Apr 15, 2025Unpatched
CVE-2025-32122medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

uListing <= 2.1.9 - Authenticated (Administrator+) SQL Injection

Apr 4, 2025Unpatched
CVE-2025-1653high · 8.8Incorrect Privilege Assignment

Directory Listings WordPress plugin – uListing <= 2.2.0 - Authenticated (Subscriber+) Privilege Escalation

Mar 14, 2025Unpatched
CVE-2025-1657high · 8.8Missing Authorization

Directory Listings WordPress plugin – uListing <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update and PHP Object Injection

Mar 14, 2025Unpatched
CVE-2025-25150high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

uListing <= 2.1.6 - Unauthenticated SQL Injection

Feb 3, 2025 Patched in 2.1.7 (10d)
CVE-2025-25151medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

uListing <= 2.1.6 - Authenticated (Contributor+) SQL Injection

Feb 3, 2025 Patched in 2.1.7 (10d)
CVE-2024-47344medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

uListing <= 2.1.5 - Unauthenticated Information Exposure

Sep 27, 2024 Patched in 2.1.6 (7d)
CVE-2021-4340critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

uListing <= 1.6.6 - Unauthenticated SQL Injection

Oct 28, 2021 Patched in 1.7 (817d)
WF-284b9b04-aa8f-41ff-b944-3488c5da8e20-ulistinghigh · 8.8Cross-Site Request Forgery (CSRF)

Listing, Classified Ads & Business Directory – uListing <= 2.0.8 - Cross-Site Request Forgery

Sep 6, 2021 Patched in 2.0.9 (869d)
CVE-2021-36879critical · 9.8Improper Privilege Management

Listing, Classified Ads & Business Directory – uListing <= 2.0.5 - Privilege Escalation

Jul 27, 2021 Patched in 2.0.6 (910d)
CVE-2021-36878medium · 4.3Cross-Site Request Forgery (CSRF)

uListing <= 2.0.5 - Cross-Site Request Forgery leading to Settings Change

Jul 27, 2021 Patched in 2.0.6 (910d)
CVE-2021-36877medium · 6.5Cross-Site Request Forgery (CSRF)

Listing, Classified Ads & Business Directory – uListing <= 2.0.5 - Cross-Site Request Forgery

Jul 27, 2021 Patched in 2.0.6 (910d)
CVE-2021-36876medium · 5.4Cross-Site Request Forgery (CSRF)

Listing, Classified Ads & Business Directory – uListing <= 2.0.5 - Cross-Site Request Forgery

Jul 27, 2021 Patched in 2.0.6 (910d)
CVE-2021-36875medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Listing, Classified Ads & Business Directory – uListing <= 2.0.5 - Reflected Cross-Site Scripting

Jul 27, 2021 Patched in 2.0.6 (910d)
CVE-2021-36874high · 7.1Authorization Bypass Through User-Controlled Key

uListing plugin <= 2.0.5 - Authenticated Insecure Direct Object References (IDOR)

Jul 27, 2021 Patched in 2.0.6 (910d)
CVE-2021-36880critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Listing, Classified Ads & Business Directory – uListing <= 2.0.3 - Unauthenticated SQL Injection

Jul 26, 2021 Patched in 2.0.4 (911d)
CVE-2021-4339high · 7.5Missing Authorization

uListing <= 1.6.6 - Unauthenticated Information Disclosure

Jan 28, 2021 Patched in 1.7 (1090d)
CVE-2021-4341critical · 9.8Missing Authorization

uListing <= 1.6.6 - Unauthenticated Wordpress Options Changes via AJAX

Jan 28, 2021 Patched in 1.7 (1090d)
CVE-2021-4343critical · 9.8Missing Authorization

uListing <= 1.6.6 - Unauthenticated Arbitrary Account Creation

Jan 28, 2021 Patched in 1.7 (1090d)
CVE-2021-4346critical · 9.8Missing Authorization

uListing <= 1.6.6 - Unauthenticated Arbitrary Account Changes

Jan 28, 2021 Patched in 1.7 (1090d)
CVE-2021-4345medium · 6.5Missing Authorization

uListing <= 1.6.6 - Unauthenticated Arbitrary Roles and Capabilities Creation/Deletion

Jan 28, 2021 Patched in 1.7 (1090d)
CVE-2021-4357critical · 9.1Missing Authorization

uListing <= 1.6.6 - Unauthenticated Arbitrary Post/Page Deletion

Jan 28, 2021 Patched in 1.7 (1090d)
CVE-2021-4370critical · 9.8Missing Authorization

uListing <= 1.6.6 - Missing Authorization

Jan 28, 2021 Patched in 1.7 (1090d)
CVE-2021-4381critical · 9.8Missing Authorization

uListing <= 1.6.6 - Unauthenticated Options Changes via wp_route

Jan 28, 2021 Patched in 1.7 (1090d)
Version History

Directory Listings WordPress plugin – uListing Release Timeline

v2.2.0Current6 CVEs
CVE-2025-1657 CVE-2025-32122 CVE-2025-1653 +3 more
v2.1.96 CVEs
CVE-2025-1657 CVE-2025-32122 CVE-2025-1653 +3 more
v2.1.86 CVEs
CVE-2025-1657 CVE-2025-32122 CVE-2025-1653 +3 more
v2.1.76 CVEs
CVE-2025-1657 CVE-2025-32122 CVE-2025-1653 +3 more
v2.1.68 CVEs
CVE-2025-1657 CVE-2025-25150 CVE-2025-32122 +5 more
v2.1.59 CVEs
CVE-2025-1657 CVE-2025-25150 CVE-2025-32122 +6 more
v2.1.49 CVEs
CVE-2025-1657 CVE-2025-25150 CVE-2025-32122 +6 more
v2.1.39 CVEs
CVE-2025-1657 CVE-2025-25150 CVE-2025-32122 +6 more
v2.1.29 CVEs
CVE-2025-1657 CVE-2025-25150 CVE-2025-32122 +6 more
v2.1.19 CVEs
CVE-2025-1657 CVE-2025-25150 CVE-2025-32122 +6 more
v2.1.09 CVEs
CVE-2025-1657 CVE-2025-25150 CVE-2025-32122 +6 more
v2.0.99 CVEs
CVE-2025-1657 CVE-2025-25150 CVE-2025-32122 +6 more
v2.0.810 CVEs
CVE-2025-1657 CVE-2025-25150 WF-284b9b04-aa8f-41ff-b944-3488c5da8e20-ulisting +7 more
v2.0.710 CVEs
CVE-2025-1657 CVE-2025-25150 WF-284b9b04-aa8f-41ff-b944-3488c5da8e20-ulisting +7 more
v2.0.610 CVEs
CVE-2025-1657 CVE-2025-25150 WF-284b9b04-aa8f-41ff-b944-3488c5da8e20-ulisting +7 more
v2.0.516 CVEs
CVE-2025-1657 CVE-2025-25150 CVE-2021-36876 +13 more
v2.0.4.116 CVEs
CVE-2025-1657 CVE-2025-25150 CVE-2021-36876 +13 more
v2.0.416 CVEs
CVE-2025-1657 CVE-2025-25150 CVE-2021-36876 +13 more
v2.0.317 CVEs
CVE-2025-1657 CVE-2025-25150 CVE-2021-36876 +14 more
v2.0.217 CVEs
CVE-2025-1657 CVE-2025-25150 CVE-2021-36876 +14 more
Code Analysis
Analyzed Mar 16, 2026

Directory Listings WordPress plugin – uListing Code Analysis

Dangerous Functions
1
Raw SQL Queries
11
13 prepared
Unescaped Output
265
1148 escaped
Nonce Checks
5
Capability Checks
33
File Operations
43
External Requests
1
Bundled Libraries
2

Dangerous Functions Found

unserializereturn (is_array($listing_order[0])) ? $listing_order[0] : unserialize($listing_order[0]);includes\classes\StmListingType.php:966

Bundled Libraries

Select2TinyMCE

SQL Query Safety

54% prepared24 total queries

Output Escaping

81% escaped1413 total outputs
Data Flows · Security
5 unsanitized

Data Flow Analysis

13 flows5 with unsanitized paths
stm_listing_profile_edit (includes\classes\StmListingAuth.php:198)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Directory Listings WordPress plugin – uListing Attack Surface

Entry Points10
Unprotected1

AJAX Handlers 1

authwp_ajax_stm_ulisting_ajax_add_feedbackincludes\admin\classes\StmAdminNotice.php:38

Shortcodes 9

[ulisting-comment] includes\classes\StmComment.php:77
[ulisting-user-comment] includes\classes\StmComment.php:78
[ulisting-feature] includes\classes\StmListing.php:120
[ulisting-category] includes\classes\StmListing.php:121
[ulisting-posts-view] includes\classes\StmListing.php:122
[ulisting-region-list] includes\classes\StmListingRegion.php:46
[search-form-type] includes\classes\StmListingType.php:641
[search-form-category] includes\classes\StmListingType.php:642
[ulisting_account_panel] includes\classes\StmUser.php:25
WordPress Hooks 102
actionadmin_menuincludes\admin\classes\StmAdminMenu.php:12
actionadmin_menuincludes\admin\classes\StmAdminMenu.php:13
actionadmin_menuincludes\admin\classes\StmAdminMenu.php:16
actionadmin_noticesincludes\admin\classes\StmAdminNotice.php:37
actionstm_admin_notice_rate_ulisting_singleincludes\admin\classes\StmAdminNotice.php:39
actionstm_listing_type_createdincludes\admin\classes\StmAdminNotice.php:40
filterset-screen-optionincludes\admin\classes\StmListingAttributePanel.php:14
actionadmin_menuincludes\admin\classes\StmListingAttributePanel.php:15
actionplugins_loadedincludes\admin\classes\StmListingAttributePanel.php:72
filterset-screen-optionincludes\admin\classes\UlistingSearchPanel.php:21
actionplugins_loadedincludes\admin\classes\UlistingSearchPanel.php:48
actionadmin_enqueue_scriptsincludes\admin\enqueue.php:123
filterulisting_contact_us_linkincludes\admin\views\settings\contact.php:7
actionadmin_noticesincludes\classes\Notices.php:77
filtermanage_comments_custom_columnincludes\classes\StmComment.php:81
filtermanage_edit-comments_columnsincludes\classes\StmComment.php:82
filtercron_schedulesincludes\classes\StmCron.php:11
actionstm_listing_cronincludes\classes\StmCron.php:17
filterulisting_settings_panelsincludes\classes\StmCron.php:18
actionulisting_settings_saveincludes\classes\StmCron.php:19
filterposts_clauses_requestincludes\classes\StmListing.php:115
filtersingle_templateincludes\classes\StmListing.php:116
actionafter_delete_postincludes\classes\StmListing.php:117
actionafter_delete_postincludes\classes\StmListing.php:118
actionwp_footerincludes\classes\StmListing.php:123
filtermanage_listing_posts_columnsincludes\classes\StmListing.php:127
actionmanage_listing_posts_custom_columnincludes\classes\StmListing.php:128
actionadd_meta_boxesincludes\classes\StmListing.php:129
actionsave_postincludes\classes\StmListing.php:130
actionrestrict_manage_postsincludes\classes\StmListing.php:132
filterparse_queryincludes\classes\StmListing.php:133
actionrestrict_manage_postsincludes\classes\StmListing.php:134
filterparse_queryincludes\classes\StmListing.php:135
actionrestrict_manage_postsincludes\classes\StmListing.php:136
filterparse_queryincludes\classes\StmListing.php:137
actionlisting-attribute-options_add_form_fieldsincludes\classes\StmListingAttributeOption.php:63
actionlisting-attribute-options_edit_form_fieldsincludes\classes\StmListingAttributeOption.php:64
actionedited_listing-attribute-optionsincludes\classes\StmListingAttributeOption.php:65
actioncreate_listing-attribute-optionsincludes\classes\StmListingAttributeOption.php:66
actiondelete_listing-attribute-optionsincludes\classes\StmListingAttributeOption.php:67
filterterms_clausesincludes\classes\StmListingAttributeOption.php:68
filteredit_listing-attribute-options_slugincludes\classes\StmListingAttributeOption.php:69
filtermanage_edit-listing-attribute-options_columnsincludes\classes\StmListingAttributeOption.php:70
filtermanage_listing-attribute-options_custom_columnincludes\classes\StmListingAttributeOption.php:71
actionlisting-category_add_form_fieldsincludes\classes\StmListingCategory.php:42
actionlisting-category_edit_form_fieldsincludes\classes\StmListingCategory.php:43
actioncreate_listing-categoryincludes\classes\StmListingCategory.php:45
actionedited_listing-categoryincludes\classes\StmListingCategory.php:46
actionlisting-region_add_form_fieldsincludes\classes\StmListingRegion.php:42
actionlisting-region_edit_form_fieldsincludes\classes\StmListingRegion.php:43
actioncreate_listing-regionincludes\classes\StmListingRegion.php:44
actionedited_listing-regionincludes\classes\StmListingRegion.php:45
actiontemplate_redirectincludes\classes\StmListingType.php:639
actionwp_footerincludes\classes\StmListingType.php:640
actionwp_insert_postincludes\classes\StmListingType.php:644
actionadd_meta_boxesincludes\classes\StmListingType.php:648
actionwp_before_admin_bar_renderincludes\classes\StmListingType.php:649
filterbody_classincludes\classes\StmListingType.php:651
filterthe_contentincludes\classes\StmListingType.php:652
filterpre_get_document_titleincludes\classes\StmListingType.php:691
filterthe_contentincludes\classes\StmListingType.php:696
actioninitincludes\classes\StmQuery.php:9
filterquery_varsincludes\classes\StmQuery.php:11
actionparse_requestincludes\classes\StmQuery.php:12
filterulisting_user_meta_dataincludes\classes\StmUser.php:24
filterulisting_query_varsincludes\classes\StmUser.php:26
filterulisting_endpoint_titleincludes\classes\StmUser.php:27
filterthe_contentincludes\classes\StmUser.php:30
filtersanitize_json_meta_accordion_for_jsonincludes\classes\UlistingSanitize.php:9
actionulisting_email_settings_page_centerincludes\classes\UlistingSearch.php:37
actionulisting_settings_saveincludes\classes\UlistingSearch.php:38
actionulisting_install_create_tableincludes\classes\UlistingSearch.php:39
actionulisting-saved-searches-render-pageincludes\classes\UlistingSearch.php:44
filterulisting_inventory_layout_dataincludes\classes\UlistingSearch.php:47
filterulisting_query_varsincludes\classes\UlistingSearch.php:48
filterulisting-wishlist-link-total-countincludes\classes\UlistingSearch.php:49
filterulisting-add-wishlist-total-countincludes\classes\UlistingSearch.php:50
actionulisting-account-dashboard-centerincludes\classes\UlistingUserRole.php:22
filterulisting_user_role_custom_field_valincludes\classes\UlistingUserRole.php:23
filterulisting_profile_edit_dataincludes\classes\UlistingUserRole.php:24
actioninitincludes\config.php:9
filterscript_loader_tagincludes\enqueue.php:51
actionwp_enqueue_scriptsincludes\enqueue.php:52
filterwp_get_attachment_image_srcincludes\functions.php:109
filterthe_titleincludes\functions.php:470
filterpost_row_actionsincludes\functions.php:555
filterulisting_search_form_category_textincludes\functions.php:570
filterulisting_filter_no_resultsincludes\functions.php:605
filterlisting-region_row_actionsincludes\functions.php:687
filterlisting-category_row_actionsincludes\functions.php:692
filtertemplate_includeincludes\functions.php:697
actioninitincludes\init.php:7
actioninitincludes\init.php:8
actioninitincludes\init.php:9
actioninitincludes\init.php:10
actioninitincludes\init.php:11
actioninitincludes\init.php:16
actioninitincludes\init.php:39
actionplugins_loadedincludes\init.php:47
filtertaxonomy_parent_dropdown_argsincludes\init.php:206
actionadmin_enqueue_scriptsincludes\item-announcements.php:3
actionall_admin_noticesincludes\item-announcements.php:16

Scheduled Events 1

stm_listing_cron
Maintenance & Trust

Directory Listings WordPress plugin – uListing Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedApr 15, 2025
PHP min version
Downloads117K

Community Trust

Rating78/100
Number of ratings30
Active installs1K
Alternatives

Directory Listings WordPress plugin – uListing Alternatives

Motors – Car Dealership & Classified Listings Plugin

Motors – Car Dealership & Classified Listings Plugin

motors-car-dealership-classified-listings

B
76

Manage classified listings with WordPress, and allow users to post classified listings directly to your website.

10K 20 CVEs
AWP Classifieds

AWP Classifieds

another-wordpress-classifieds-plugin

C
50

Create a classified listings directory, from auto listings to yard sales with AWP Classifieds plugin.

3K 1 unpatched
Advanced Classifieds & Directory Pro

Advanced Classifieds & Directory Pro

advanced-classifieds-and-directory-pro

A
92

Build any kind of directory site: classifieds, cars, bikes & other vehicles dealers site, pets, real estate portal, yellow pages, etc...

2K 4 CVEs
Classified Ads

Classified Ads

classified-ads

A
85

Build your Classified Ads Directory Portal based on Wp Directory Kit and Elementor Plugin

1K No CVEs
Directorist: AI-Powered Business Directory, Listings & Classified Ads

Directorist: AI-Powered Business Directory, Listings & Classified Ads

directorist

A
87

Build any type of directory website such as a business directory, job directory, classifieds directory, and more with this WordPress directory plugin.

20K 21 CVEs
Developer Profile

Directory Listings WordPress plugin – uListing Developer Profile

Stylemix

8 plugins · 58K total installs

64
trust score
Avg Security Score
78/100
Avg Patch Time
277 days
View full developer profile
Detection Fingerprints

How We Detect Directory Listings WordPress plugin – uListing

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ulisting/assets/images/ulisting.png/wp-content/plugins/ulisting/assets/js/owl.carousel.min.js/wp-content/plugins/ulisting/assets/css/owl.carousel.min.css/wp-content/plugins/ulisting/assets/js/feedback.js/wp-content/plugins/ulisting/assets/css/admin/feedback.css/wp-content/plugins/ulisting/assets/js/vue-tinymce-2/tinymce.min.js/wp-content/plugins/ulisting/assets/js/vue-tinymce-2/vue-easy-tinymce.min.js/wp-content/plugins/ulisting/assets/css/frontend/bootstrap.min.css+5 more
Script Paths
ulisting/assets/js/owl.carousel.min.jsulisting/assets/js/feedback.jsulisting/assets/js/vue-tinymce-2/tinymce.min.jsulisting/assets/js/vue-tinymce-2/vue-easy-tinymce.min.jsulisting/assets/js/helper.jsulisting/assets/js/bootstrap/bootstrap.js
Version Parameters
ulisting/assets/js/owl.carousel.min.js?ver=ulisting/assets/css/owl.carousel.min.css?ver=ulisting/assets/js/feedback.js?ver=ulisting/assets/css/admin/feedback.css?ver=ulisting/assets/js/vue-tinymce-2/tinymce.min.js?ver=ulisting/assets/js/vue-tinymce-2/vue-easy-tinymce.min.js?ver=ulisting/assets/css/frontend/bootstrap.min.css?ver=ulisting/assets/css/admin/settings.css?ver=ulisting/assets/css/admin/global.css?ver=ulisting/assets/js/helper.js?ver=ulisting/assets/js/bootstrap/bootstrap.js?ver=ulisting/assets/css/stm-grid.css?ver=

HTML / DOM Fingerprints

CSS Classes
ulisting-pro-featuresstm-ulisting-admin-notice
HTML Comments
<!-- uListing Pro Features --><!-- uListing Feedback --><!-- PRO -->
Data Attributes
data-toggle="ulisting-modal"data-target="#ulisting-pro-features-modal"
JS Globals
ulisting_admin_paramsulisting_params
REST Endpoints
/wp-json/ulisting/v1/feedback
FAQ

Frequently Asked Questions about Directory Listings WordPress plugin – uListing