Themes Vulnerabilities

Listeo < 1.6.11 - Multiple Authenticated IDOR Vulnerabilities

Description

The theme did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector.

Proof of Concept

Affects Themes

listeo
Fixed in 1.6.11

References

CVE
CVE-2021-24318
URL
https://m0ze.ru/vulnerability/%5B2021-02-10%5D-%5BWordPress%5D-%5BCWE-639%5D-Listeo-WordPress-Theme-v1.6.10.txt

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
m0ze
Submitter
m0ze
Submitter website
https://m0ze.ru
Submitter twitter
vladm0ze
Verified
No
WPVDB ID
9afa7e11-68b3-4196-975e-8b3f8e68ce56

Timeline

Publicly Published
2021-05-16 (about 4 years ago)
Added
2021-05-16 (about 4 years ago)
Last Updated
2021-05-18 (about 4 years ago)

Other

Published
Title
Published
2023-07-26
Title
ACF Photo Gallery Field < 2.0 - Subscriber+ UserMeta Update
Published
2021-06-28
Title
User Profile Picture < 2.6.0 - Arbitrary User Picture Change/Deletion via IDOR
Published
2025-05-19
Title
WP Job Portal < 2.3.3 - Unauthenticated Insecure Direct Object Reference
Published
2024-04-10
Title
GP Unique ID < 1.5.6 - Unauthenticated Form Submission Unique ID Modification
Published
2024-04-16
Title
WP-Recall – Registration, Profile, Commerce & More < 16.26.6 - Insecure Direct Object Reference