WordPress Plugin Vulnerabilities

Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR

Description

The plugin, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the property_id parameter.

Proof of Concept

Affects Plugins

Plugin icon
realteo
Fixed in 1.2.4

Affects Themes

findeo
Fixed in 1.3.1

References

CVE
CVE-2021-24238
URL
https://www.docs.purethemes.net/findeo/knowledge-base/changelog-findeo/
URL
https://m0ze.ru/vulnerability/[2021-03-20]-[WordPress]-[CWE-284]-Findeo-WordPress-Theme-v1.3.0.txt
URL
https://m0ze.ru/vulnerability/[2021-03-20]-[WordPress]-[CWE-284]-Realteo-WordPress-Plugin-v1.2.3.txt

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
7.1 (high)

Miscellaneous

Original Researcher
m0ze
Submitter
m0ze
Submitter website
https://m0ze.ru
Submitter twitter
vladm0ze
Verified
Yes
WPVDB ID
b8434eb2-f522-484f-9227-5f581e7f48a5

Timeline

Publicly Published
2021-03-31 (about 4 years ago)
Added
2021-04-01 (about 4 years ago)
Last Updated
2021-04-03 (about 4 years ago)

Other

Published
Title
Published
2024-11-12
Title
BuddyPress Builder for Elementor – BuddyBuilder < 1.8.0 - Contributor+ Post Disclosure
Published
2025-09-17
Title
Chained Quiz < 1.3.6 - Unauthenticated Insecure Direct Object Reference via Cookie
Published
2025-02-13
Title
Return Refund and Exchange For WooCommerce < 4.4.6 - Subscriber+ IDOR
Published
2025-01-09
Title
One to one user Chat by WPGuppy < 1.1.1 - Authorization Bypass
Published
2024-11-25
Title
The Events Calendar < 6.8.2.1 - Unauthenticated Password Protected Event Disclosure