CVE-2026-28138
Deserialization Vulnerability in Stylemix uListing Allows Object Injection
Publication date: 2026-02-26
Last updated on: 2026-02-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stylemixthemes | ulisting | 2.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28138 is a PHP Object Injection vulnerability found in the WordPress uListing Plugin versions up to and including 2.2.0. It allows a malicious actor with administrator privileges to inject objects during deserialization, potentially enabling various attacks.
- The vulnerability involves deserialization of untrusted data leading to object injection.
- It can be exploited to perform attacks such as code injection, SQL injection, path traversal, and denial of service.
- Exploitation requires a suitable PHP Object Injection Property Oriented Programming (POP) chain.
The issue is classified under OWASP Top 10 category A3: Injection and has a CVSS score of 7.2, indicating moderate severity.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with administrator privileges to execute several harmful actions on the affected system.
- Code injection, which could lead to arbitrary code execution.
- SQL injection, potentially compromising the database.
- Path traversal, which might allow access to unauthorized files.
- Denial of service, disrupting the availability of the application.
However, the vulnerability is considered low priority by Patchstack due to its low impact and the unlikelihood of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network/system detection methods provided for this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Since no official patch is currently available for this vulnerability, immediate mitigation steps include monitoring for updates or mitigations from the plugin developer or security advisories.
Additionally, limiting administrator privileges to trusted users can reduce the risk of exploitation, as the vulnerability requires administrator access.
Consider implementing general security best practices such as regular backups and monitoring for suspicious activity.