PT-2020-10371 · Cththemes+1 · Cththemes Townhub+3

M0Ze

Published

2020-01-13

Updated

2020-01-14

CVE-2019-20209

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions CTHthemes CityBook versions prior to 2.3.4 CTHthemes TownHub versions prior to 1.0.6 CTHthemes EasyBook versions prior to 1.2.2

Description The issue allows insecure Direct Object Reference (IDOR) via the "wp-admin/admin-ajax.php" endpoint, enabling the deletion of any page, post, or listing.

Recommendations For CTHthemes CityBook versions prior to 2.3.4, update to version 2.3.4 or later. For CTHthemes TownHub versions prior to 1.0.6, update to version 1.0.6 or later. For CTHthemes EasyBook versions prior to 1.2.2, update to version 1.2.2 or later.

Exploit

Fix

IDOR

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639CWE-79

Related Identifiers

CVE-2019-20209

Affected Products

Cththemes Citybook

Cththemes Easybook

Cththemes Townhub

Wordpress

PT-2020-10371 · Cththemes+1 · Cththemes Townhub+3

CVE-2019-20209

Weakness Enumeration

Related Identifiers

Affected Products

References · 11