WordPress Plugin Vulnerabilities

Realia <= 1.4 - Unauthenticated IDOR leading to Arbitrary Post Deletion

Description

While investigating an IDOR issue on a premium theme, allowing arbitrary deletion of Ads, submitted by Vlad Vector, the Realia plugin was found to be the root cause.

In fact, having this plugin installed (which some themes require) can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious request with the post ID to delete.

The issue was reported to the WP plugins team on August 5th, 2020 and they investigated it on August 14th, 2020. The plugin was later closed from the WordPress repository and is not available for download anymore.

For more details, including about the premium theme and timeline, please refer to the link in the reference.

Proof of Concept

Affects Plugins

Plugin icon
realia
No known fix

References

URL
https://gist.github.com/erwanlr/625a3a241a6bd59f18b8b048cedf1b41

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
8.2 (high)

Miscellaneous

Original Researcher
Vlad Vector, Erwan LR
Verified
Yes
WPVDB ID
4ff539c5-6e08-4af8-81a9-d8e0b7fcff70

Timeline

Publicly Published
2020-10-15 (about 5 years ago)
Added
2020-10-15 (about 5 years ago)
Last Updated
2020-10-17 (about 5 years ago)

Other

Published
Title
Published
2024-04-15
Title
Login with phone number < 1.7.17 - Unauthorized Account Password Change to Privilege Escalation
Published
2026-03-12
Title
Appointment Booking Calendar < 1.6.10.0 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure
Published
2026-04-06
Title
Amelia < 2.2 - Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via 'externalId' Parameter
Published
2024-09-03
Title
The Ultimate WordPress Toolkit – WP Extended < 3.0.9 - Insecure Direct Object Reference
Published
2021-03-31
Title
Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR