Themes Vulnerabilities

ListingPro < 2.6.1 - Unauthenticated Arbitrary Plugin Installation/Activation/Deactivation

Description

Unauthenticated users could install/activate/deactivate arbitrary plugins, including install one from a remote source under their control (by having $_REQUEST['ccDestin'] set to external and $_REQUEST['ccFileUrl'] to the remote ZIP file)

Affects Themes

listingpro

Fixed in version 2.6.1

References

URL

https://blog.nintechnet.com/wordpress-listingpro-theme-fixed-a-critical-vulnerability/

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

Miscellaneous

Original Researcher

Jerome Bruandet (nintechnet)

Verified

WPVDB ID

814d5f2d-399a-4738-a48b-009c4f8043ee

Timeline

Publicly Published

2020-12-17 (about 1 years ago)

Added

2020-12-17 (about 1 years ago)

Last Updated

2020-12-18 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin