CVE-2026-28078
Received Received - Intake
Path Traversal in Stylemix uListing ≀ 2.2.0 Allows Unauthorized Access

Publication date: 2026-03-05

Last updated on: 2026-03-05

Assigner: Patchstack

Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Stylemix uListing ulisting allows Path Traversal.This issue affects uListing: from n/a through <= 2.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28078
EUVD
EUVD-2026-9736
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
stylemixthemes ulisting From 1.0.0 (inc) to 2.2.0 (inc)
stylemix ulisting to 2.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28078 is a Path Traversal vulnerability in the WordPress uListing plugin versions up to and including 2.2.0. This vulnerability allows an attacker with Editor or Developer privileges to download arbitrary files from the affected website.

It is classified under OWASP Top 10 A1: Broken Access Control, meaning the attacker can bypass restrictions to access files they should not be able to.

The files that can be accessed may include sensitive data such as login credentials or backup files.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored on the affected website.

  • Attackers with Editor or Developer privileges can download arbitrary files, potentially exposing login credentials.
  • Backup files and other sensitive data may be accessed, increasing the risk of data breaches.

Such exposure can compromise the security and integrity of the website and its data.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with Editor or Developer privileges to download arbitrary files from the affected website, which may include sensitive data. Detection can involve monitoring for unusual file download requests or attempts to access files outside the intended directories.'}, {'type': 'paragraph', 'content': "Since no official patch is available, and the vulnerability is related to path traversal in the uListing WordPress plugin, detection might include checking web server logs for suspicious URL patterns that attempt to traverse directories (e.g., URLs containing '../')."}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts could include using grep on web server logs to find path traversal patterns:'}, {'type': 'list_item', 'content': "grep -E '\\.\\./|%2e%2e%2f' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'ulisting' /var/log/apache2/access.log | grep -E '\\.\\./|%2e%2e%2f'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual file download activity by users with Editor or Developer roles in WordPress could help detect exploitation attempts.'}] [1]

Mitigation Strategies

Immediate mitigation steps include applying Patchstack’s mitigation rule to block attacks exploiting this vulnerability until an official patch is released.

Since no official patch is currently available, users should:

  • Apply the Patchstack mitigation measures immediately to protect their sites.
  • Restrict Editor and Developer privileges to trusted users only, minimizing the risk of exploitation.
  • Monitor web server logs for suspicious activity related to path traversal attempts.
  • Consider temporarily disabling or removing the uListing plugin if mitigation is not feasible.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28078. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart