Vulnerabilities > CVE-2019-20209 - Authorization Bypass Through User-Controlled Key vulnerability in Cththemes Citybook, Easybook and Townhub

CVSS 6.4 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

cththemes

CWE-639

NVD

Published: 2020-01-13

Updated: 2020-01-14

Summary

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow nsecure Direct Object Reference (IDOR) via wp-admin/admin-ajax.php to delete any page/post/listing.

Vulnerable Configurations

Part	Description	Count
Application	Cththemes Cththemes Citybook * Cththemes Easybook * Cththemes Townhub *	3

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

https://cxsecurity.com/issue/WLB-2019120110
https://cxsecurity.com/issue/WLB-2019120111
https://cxsecurity.com/issue/WLB-2019120112
https://themeforest.net/item/citybook-directory-listing-wordpress-theme/21694727
https://themeforest.net/item/easybook-directory-listing-wordpress-theme/23206622
https://themeforest.net/item/townhub-directory-listing-wordpress-theme/25019571
https://wpvulndb.com/vulnerabilities/10013
https://wpvulndb.com/vulnerabilities/10014
https://wpvulndb.com/vulnerabilities/10018