6.5
CVE-2021-24238
- EPSS 1.11%
- Veröffentlicht 22.04.2021 21:15:09
- Zuletzt bearbeitet 21.11.2024 05:52:39
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginRealteo < 1.2.4 - Arbitrary Property Deletion via IDOR
Realteo < 1.2.4 - Missing Authorization
The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the property_id parameter.
Mögliche Gegenmaßnahme
Realteo: Update to version 1.2.4, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Purethemes ≫ Findeo SwPlatformwordpress Version < 1.3.1
Purethemes ≫ Realteo SwPlatformwordpress Version < 1.2.4
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Realteo
Version
[*, 1.2.4)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.11% | 0.617 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:N/I:P/A:N
|
CWE-284 Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-425 Direct Request ('Forced Browsing')
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
https://www.docs.purethemes.net/findeo/knowledge-base/changelog-findeo/
https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Findeo-WordPress-Theme-v1.3.0.txt
https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Realteo-WordPress-Plugin-v1.2.3.txt
https://wpscan.com/vulnerability/b8434eb2-f522-484f-9227-5f581e7f48a5
https://www.wordfence.com/threat-intel/vulnerabilities/id/72f3541e-e589-4f21-ab51-89dba704b271