PT-2021-15781 · WordPress · Realteo Wordpress Plugin

M0Ze

Published

2021-04-22

Updated

2022-07-29

CVE-2021-24238

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Realteo WordPress plugin versions prior to 1.2.4

Description The issue allows any authenticated users to delete arbitrary properties by tampering with the property id parameter, as the plugin does not ensure that the requested property to be deleted belongs to the user making the request.

Recommendations For versions prior to 1.2.4, update to version 1.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the property deletion functionality to minimize the risk of exploitation. Avoid using the property id parameter in affected API endpoints until the issue is resolved.

Exploit

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-425CWE-284

Related Identifiers

CVE-2021-24238

Affected Products

Realteo Wordpress Plugin

PT-2021-15781 · WordPress · Realteo Wordpress Plugin

CVE-2021-24238

Weakness Enumeration

Related Identifiers

Affected Products

References · 8