Vulnerability Description
The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the property_id parameter.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Purethemes | Findeo | < 1.3.1 |
| Purethemes | Realteo | < 1.2.4 |
Related Weaknesses (CWE)
References
- https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Fin
- https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Rea
- https://wpscan.com/vulnerability/b8434eb2-f522-484f-9227-5f581e7f48a5ExploitThird Party Advisory
- https://www.docs.purethemes.net/findeo/knowledge-base/changelog-findeo/Release NotesVendor Advisory
- https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Fin
- https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Rea
- https://wpscan.com/vulnerability/b8434eb2-f522-484f-9227-5f581e7f48a5ExploitThird Party Advisory
- https://www.docs.purethemes.net/findeo/knowledge-base/changelog-findeo/Release NotesVendor Advisory
FAQ
What is CVE-2021-24238?
CVE-2021-24238 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to...
How severe is CVE-2021-24238?
CVE-2021-24238 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24238?
Check the references section above for vendor advisories and patch information. Affected products include: Purethemes Findeo, Purethemes Realteo.