uListing 2.2.0 and earlier allows arbitrary data injection

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.2

uListing 2.2.0 and earlier allows arbitrary data injection

CVE-2026-28138

Summary

The uListing plugin for WordPress does not properly validate user input, which can allow an attacker to inject malicious data into the system. This could lead to unauthorized actions or data tampering. Update to a fixed version of uListing to prevent this risk.

Original title

Deserialization of Untrusted Data vulnerability in Stylemix uListing ulisting allows Object Injection.This issue affects uListing: from n/a through <= 2.2.0.

Original description

Deserialization of Untrusted Data vulnerability in Stylemix uListing ulisting allows Object Injection.This issue affects uListing: from n/a through <= 2.2.0.

nvd CVSS3.1 7.2

Vulnerability type

CWE-502 Deserialization of Untrusted Data

https://patchstack.com/database/Wordpress/Plugin/ulisting/vulnerability/wordpres...

Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026