CVE-2021-24318
MEDIUMPurethemes Listeo < 1.6.11 - Improper Access Control
Title source: ruleDescription
The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/9afa7e11-68b3-4196-975e-8b3f8e68ce56
Exploit, Third Party Advisory x_refsource_misc
https://m0ze.ru/vulnerability/%5B2021-02-10%5D-%5BWordPress%5D-%5BCWE-639%5D-Listeo-WordPress-Theme-v1.6.10.txt
Scores
CVSS v3
6.5
EPSS
0.0039
EPSS Percentile
60.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-284
CWE-639
Status
published
Products (1)
purethemes/listeo
< 1.6.11
Published
Jun 01, 2021
Tracked Since
Feb 18, 2026