Skip to main content

Listdom CVE-2026-49063

| EUVDEUVD-2026-36871 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-06-15 Patchstack GHSA-g5vj-vrxx-7p65
7.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable privilege escalation in WordPress typically yields administrator capability, which is full site compromise - justifying C:H/I:H/A:H rather than the conservative L/L/L in the supplied vector.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:40 vuln.today

DescriptionCVE.org

Unauthenticated Privilege Escalation in Listdom <= 5.5.0 versions.

AnalysisAI

Unauthenticated privilege escalation in the Listdom WordPress plugin versions 5.5.0 and earlier allows remote attackers to elevate privileges without any authentication or user interaction. The flaw is tracked under CWE-266 (Incorrect Privilege Assignment) and was reported by Patchstack; no public exploit identified at time of analysis. Affected sites running this Webilia-developed directory listing plugin face risk of unauthorized account or capability elevation through exposed plugin endpoints.

Technical ContextAI

Listdom is a WordPress directory and listing plugin published by Webilia Inc. (CPE cpe:2.3:a:webilia_inc.:listdom). The root cause is classified as CWE-266 (Incorrect Privilege Assignment), a weakness class where the application grants a user privileges that exceed those intended for their role - typically because a plugin-exposed action, AJAX handler, or REST endpoint fails to verify the caller's capability before assigning roles, modifying user meta, or performing privileged operations. In the WordPress plugin ecosystem this commonly manifests as nonce/capability checks being absent on hooks reachable by anonymous visitors, allowing unprivileged callers to invoke logic intended for administrators.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the supplied data - administrators should check the Listdom plugin page on wordpress.org and the vendor changelog for a release later than 5.5.0 and upgrade immediately, consulting https://patchstack.com/database/wordpress/plugin/listdom/vulnerability/wordpress-listdom-plugin-5-5-0-privilege-escalation-vulnerability for advisory details. Until a confirmed fixed version is installed, compensating controls include deactivating the Listdom plugin entirely (trade-off: directory/listing pages will be unavailable), restricting access to wp-admin/admin-ajax.php and the WP REST API for Listdom routes via a WAF rule or virtual patch (trade-off: legitimate front-end calls into Listdom AJAX handlers may break and require allowlisting), and auditing the wp_users and wp_usermeta tables for unexpected role assignments or new administrator accounts created since the plugin was installed.

Share

CVE-2026-49063 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy