CVE-2021-24238
MEDIUMFindeo and Realteo < 1.3.1 and < 1.2.4 - Authenticated Arbitrary Property Deletion via property_id Parameter
Title source: llmDescription
The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the property_id parameter.
References (4)
Core 4
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.docs.purethemes.net/findeo/knowledge-base/changelog-findeo/
Exploit, Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/b8434eb2-f522-484f-9227-5f581e7f48a5
Various Sources x_refsource_misc
https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Findeo-WordPress-Theme-v1.3.0.txt
Various Sources x_refsource_misc
https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Realteo-WordPress-Plugin-v1.2.3.txt
Scores
CVSS v3
6.5
EPSS
0.0111
EPSS Percentile
61.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-284
CWE-425
Status
published
Products (2)
purethemes/findeo
< 1.3.1
purethemes/realteo
< 1.2.4
Published
Apr 22, 2021
Tracked Since
Feb 18, 2026