Atomic Edge analysis of CVE-2026-28078 (metadata-based):
This vulnerability is a classic directory traversal (CWE-22) in the uListing WordPress plugin. The CWE classification confirms improper pathname limitation. The description states authenticated attackers with Editor-level access can read arbitrary files. This indicates the plugin fails to properly sanitize user-controlled input used in file operations, likely via AJAX handlers or admin endpoints.

Atomic Edge research infers the root cause involves a file download or file retrieval function that accepts a filename or path parameter without validating it against directory traversal sequences. The plugin likely uses this parameter directly in functions like file_get_contents() or readfile().

Exploitation requires Editor-level WordPress credentials (PR:H in CVSS). Attackers would authenticate, then send a crafted request containing directory traversal sequences (../) in a file parameter. The CVSS vector shows network attack vector (AV:N), low attack complexity (AC:L), and high confidentiality impact (C:H).

Based on WordPress plugin patterns, the vulnerable endpoint is likely an AJAX handler at /wp-admin/admin-ajax.php with an action parameter containing ‘ulisting’ or a direct admin file at /wp-admin/admin-post.php. The parameter name could be ‘file’, ‘path’, ‘filename’, or similar. Payloads would include sequences like ‘../../../../etc/passwd’ or encoded variants.

The fix requires implementing proper path validation, likely using realpath() with basename() comparison, or restricting file access to a specific directory. WordPress nonce verification might also be missing, though the description focuses on path traversal.

Impact includes disclosure of sensitive server files like configuration files, environment variables, database credentials, or source code. This can lead to further server compromise.