Vulnerabilities > CVE-2021-24318 - Authorization Bypass Through User-Controlled Key vulnerability in Purethemes Listeo
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://m0ze.ru/vulnerability/%5B2021-02-10%5D-%5BWordPress%5D-%5BCWE-639%5D-Listeo-WordPress-Theme-v1.6.10.txt
- https://m0ze.ru/vulnerability/%5B2021-02-10%5D-%5BWordPress%5D-%5BCWE-639%5D-Listeo-WordPress-Theme-v1.6.10.txt
- https://wpscan.com/vulnerability/9afa7e11-68b3-4196-975e-8b3f8e68ce56
- https://wpscan.com/vulnerability/9afa7e11-68b3-4196-975e-8b3f8e68ce56