CVE-2026-28078
Path Traversal in Stylemix uListing β€ 2.2.0 Allows Unauthorized Access
Publication date: 2026-03-05
Last updated on: 2026-03-05
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stylemixthemes | ulisting | From 1.0.0 (inc) to 2.2.0 (inc) |
| stylemix | ulisting | to 2.2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28078 is a Path Traversal vulnerability in the WordPress uListing plugin versions up to and including 2.2.0. This vulnerability allows an attacker with Editor or Developer privileges to download arbitrary files from the affected website.
It is classified under OWASP Top 10 A1: Broken Access Control, meaning the attacker can bypass restrictions to access files they should not be able to.
The files that can be accessed may include sensitive data such as login credentials or backup files.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information stored on the affected website.
- Attackers with Editor or Developer privileges can download arbitrary files, potentially exposing login credentials.
- Backup files and other sensitive data may be accessed, increasing the risk of data breaches.
Such exposure can compromise the security and integrity of the website and its data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with Editor or Developer privileges to download arbitrary files from the affected website, which may include sensitive data. Detection can involve monitoring for unusual file download requests or attempts to access files outside the intended directories.'}, {'type': 'paragraph', 'content': "Since no official patch is available, and the vulnerability is related to path traversal in the uListing WordPress plugin, detection might include checking web server logs for suspicious URL patterns that attempt to traverse directories (e.g., URLs containing '../')."}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts could include using grep on web server logs to find path traversal patterns:'}, {'type': 'list_item', 'content': "grep -E '\\.\\./|%2e%2e%2f' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'ulisting' /var/log/apache2/access.log | grep -E '\\.\\./|%2e%2e%2f'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual file download activity by users with Editor or Developer roles in WordPress could help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying Patchstackβs mitigation rule to block attacks exploiting this vulnerability until an official patch is released.
Since no official patch is currently available, users should:
- Apply the Patchstack mitigation measures immediately to protect their sites.
- Restrict Editor and Developer privileges to trusted users only, minimizing the risk of exploitation.
- Monitor web server logs for suspicious activity related to path traversal attempts.
- Consider temporarily disabling or removing the uListing plugin if mitigation is not feasible.