CVE-2024-13307

Name of the Vulnerable Software and Affected Versions The Reales WP - Real Estate WordPress Theme versions up to, and including, 2.1.2

Description The issue allows unauthorized modification and loss of data due to a missing capability check on the reales delete file, reales delete file plans, reales add to favourites, and reales remove from favourites functions. This makes it possible for unauthenticated attackers to delete arbitrary attachments, and add or remove favorite property listings for any user.

Recommendations For versions up to, and including, 2.1.2, update to a version that includes a fix for the missing capability check issue. As a temporary workaround, consider disabling the reales delete file, reales delete file plans, reales add to favourites, and reales remove from favourites functions until a patch is available.