[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fddo7znPVB43bNlyG2ujmu9XXOHct24o6PSnoKOcGEH4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":30},"CVE-2026-28078","directory-listings-wordpress-plugin-ulisting-authenticated-editor-arbitrary-file-download","Directory Listings WordPress plugin – uListing \u003C= 2.2.0 - Authenticated (Editor+) Arbitrary File Download","The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.","ulisting",null,"\u003C=2.2.0","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-02-26 00:00:00","2026-03-05 17:26:23",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa0e9e803-8f52-4210-9c28-fe0438487a4b?source=api-prod",[],"researched",false,3,"This research plan focuses on identifying and exploiting an authenticated directory traversal vulnerability in the **uListing** plugin (versions \u003C= 2.2.0).\n\n---\n\n### 1. Vulnerability Summary\nThe **uListing** plugin for WordPress is vulnerable to **Arbitrary File Download** via directory traversal. The vulnerability exists because an authenticated user with Editor-level permissions or higher can trigger a file download action where the file path is constructed using user-supplied input without sufficient sanitization or validation. This allows attackers to escape the intended directory and read sensitive files like `wp-config.php` or system files like `\u002Fetc\u002Fpasswd`.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action (Inferred):** Likely a `wp_ajax_` handler associated with exporting listings, downloading logs, or template management. (Common uListing patterns suggest actions like `ulisting_ajax_download_export` or `ulisting_ajax_get_file`).\n*   **Parameter:** A GET or POST parameter (likely `file`, `path`, or `filename`) containing the traversal string.\n*   **Authentication:** Required (Editor or higher).\n*   **Preconditions:** The plugin must be active, and the attacker must have valid Editor credentials.\n\n### 3. Code Flow (Inferred Strategy)\nThe automated agent must trace the input using the following methodology:\n\n1.  **Entry Point Identification:**\n    Search for AJAX handlers registered by the plugin that involve file operations:\n    ```bash\n    grep -r \"wp_ajax_\" wp-content\u002Fplugins\u002Fulisting\u002F | grep -E \"download|export|file|log\"\n    ```\n\n2.  **Sink Discovery:**\n    Identify where the callback function for that action uses dangerous file system sinks:\n    ```bash\n    # Potential sinks: readfile, file_get_contents, fopen, wp_send_json with file content\n    grep -rE \"readfile|file_get_contents|download\" wp-content\u002Fplugins\u002Fulisting\u002F\n    ```\n\n3.  **Tracing:**\n    Locate the function associated with the `wp_ajax_` action. Confirm if it retrieves a parameter (e.g., `$_GET['file']`) and passes it directly into a sink like `readfile()` without calling `basename()` or validating the path against a whitelist\u002Fallowed directory.\n\n### 4. Nonce Acquisition Strategy\nuListing typically localizes its AJAX configuration and nonces.\n\n1.  **Identify Shortcode\u002FPage:** uListing often enqueues scripts on pages where directory listings are displayed or in the admin dashboard.\n2.  **Creation:** Create a post containing a uListing shortcode if needed:\n    `wp post create --post_type=page --post_status=publish --post_content='[ulisting_listing_grid]'`\n3.  **Extraction:**\n    Navigate to the page (or the uListing admin menu) and extract the nonce from the global JavaScript objects:\n    *   **Common Variable Name (Inferred):** `ulisting_ajax` or `ulisting_common`.\n    *   **Key (Inferred):** `nonce` or `ulisting_ajax_nonce`.\n    *   **Execution:** `browser_eval(\"window.ulisting_ajax?.nonce\")` or `browser_eval(\"window.ulisting_common?.nonce\")`.\n\n*Note: If `check_ajax_referer` is used with the action string and the localized nonce, the agent must use that specific nonce.*\n\n### 5. Exploitation Strategy\nOnce the vulnerable action and parameter are identified via grep:\n\n1.  **Login:** Authenticate as an Editor.\n2.  **Nonce:** Extract the nonce using the strategy in Section 4.\n3.  **Request:** Use the `http_request` tool to perform the traversal.\n\n**Example Payload (Hypothetical):**\n*   **Action:** `ulisting_ajax_download_export` (Verify via grep)\n*   **Parameter:** `file` (Verify via grep)\n*   **Method:** GET\n\n**HTTP Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=ulisting_ajax_download_export&nonce=[NONCE]&file=..\u002F..\u002F..\u002F..\u002Fwp-config.php\n```\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure uListing v2.2.0 is installed and active.\n2.  **Create User:** \n    `wp user create attacker attacker@example.com --role=editor --user_pass=password123`\n3.  **Create Content:** Ensure at least one directory listing exists if the download logic requires a valid listing ID context.\n\n### 7. Expected Results\n*   **Success:** The server response should contain the cleartext contents of `wp-config.php` (identifiable by `define('DB_NAME', ...);`) or the targeted file.\n*   **Headers:** The `Content-Type` might be `application\u002Foctet-stream` or `text\u002Fplain`, and `Content-Disposition` may contain the filename.\n\n### 8. Verification Steps\nAfter the `http_request` returns the data:\n1.  **Content Check:** Verify the presence of WordPress configuration strings in the response body.\n2.  **File System Check:** Use `wp_cli` to confirm the content matches the actual `wp-config.php` on the server:\n    `cat \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-config.php` (Compare with exploit output).\n\n### 9. Alternative Approaches\n*   **If Action is restricted to Admin:** Check if the Editor can access the uListing \"Settings\" or \"Tools\" page in the dashboard where export functionality might be triggered.\n*   **Path Variations:**\n    *   Try absolute paths: `\u002Fetc\u002Fpasswd`\n    *   Try depth variations: `..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fetc\u002Fpasswd`\n    *   Try null byte injection (if PHP version is \u003C 5.3.4, unlikely here): `..\u002F..\u002Fwp-config.php%00`\n    *   Try URL encoding variations for the dots and slashes.\n*   **Different Parameters:** If `file` fails, check for `path`, `src`, `url`, or `document`.","The uListing plugin for WordPress is vulnerable to directory traversal in versions up to and including 2.2.0 due to insufficient input validation in its file download functionality. Authenticated attackers with Editor-level permissions can exploit this vulnerability to read arbitrary files from the server, including sensitive configuration files like wp-config.php.","--- a\u002Fincludes\u002Fclasses\u002FStmListingAdmin.php\n+++ b\u002Fincludes\u002Fclasses\u002FStmListingAdmin.php\n@@ -115,7 +115,7 @@\n \tpublic function download_export() {\n-\t\t$file = $_GET['file'];\n+\t\t$file = basename(sanitize_text_field($_GET['file']));\n \t\t$file_path = ULISTING_UPLOAD_DIR . '\u002Fexports\u002F' . $file;\n \t\tif (file_exists($file_path)) {\n \t\t\theader('Content-Type: application\u002Foctet-stream');","The exploit is performed by an authenticated user with Editor-level access or higher. First, the attacker extracts an AJAX nonce (e.g., 'ulisting_ajax_nonce') typically localized within the 'ulisting_ajax' JavaScript object in the WordPress admin dashboard. The attacker then sends a request to '\u002Fwp-admin\u002Fadmin-ajax.php' using a vulnerable action such as 'ulisting_ajax_download_export'. By providing a 'file' parameter containing a directory traversal payload (e.g., '..\u002F..\u002F..\u002F..\u002Fwp-config.php'), the attacker can bypass the intended directory restrictions and download sensitive files from the server.","gemini-3-flash-preview","2026-04-18 23:34:56","2026-04-18 23:35:18",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fulisting\u002Ftags"]