CVE-2021-24238 - OpenCVE

The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the property_id parameter.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Purethemes	Findeo Realteo

Configuration 1 [-]

OR	cpe:2.3:a:purethemes:findeo::::::wordpress::*
	cpe:2.3:a:purethemes:realteo::::::wordpress::*

No data.

References

Link	Providers
https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Findeo-WordPress-Theme-v1.3.0.txt
https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Realteo-WordPress-Plugin-v1.2.3.txt
https://wpscan.com/vulnerability/b8434eb2-f522-484f-9227-5f581e7f48a5
https://www.docs.purethemes.net/findeo/knowledge-base/changelog-findeo/

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2021-04-22T21:00:51

Updated: 2024-08-03T19:21:18.692Z

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24238

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-04-22T21:15:09.797

Modified: 2023-11-07T03:31:08.490

Link: CVE-2021-24238

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Realteo", "vendor": "PureThemes", "versions": [{"lessThan": "1.2.4", "status": "affected", "version": "1.2.4", "versionType": "custom"}]}, {"product": "Findeo", "vendor": "PureThemes", "versions": [{"lessThan": "1.3.1", "status": "affected", "version": "1.3.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "m0ze"}], "descriptions": [{"lang": "en", "value": "The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the property_id parameter."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-22T21:00:51", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.docs.purethemes.net/findeo/knowledge-base/changelog-findeo/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://wpscan.com/vulnerability/b8434eb2-f522-484f-9227-5f581e7f48a5"}, {"tags": ["x_refsource_MISC"], "url": "https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Findeo-WordPress-Theme-v1.3.0.txt"}, {"tags": ["x_refsource_MISC"], "url": "https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Realteo-WordPress-Plugin-v1.2.3.txt"}], "source": {"discovery": "UNKNOWN"}, "title": "Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24238", "STATE": "PUBLIC", "TITLE": "Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Realteo", "version": {"version_data": [{"version_affected": "<", "version_name": "1.2.4", "version_value": "1.2.4"}]}}, {"product_name": "Findeo", "version": {"version_data": [{"version_affected": "<", "version_name": "1.3.1", "version_value": "1.3.1"}]}}]}, "vendor_name": "PureThemes"}]}}, "credit": [{"lang": "eng", "value": "m0ze"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the property_id parameter."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284 Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://www.docs.purethemes.net/findeo/knowledge-base/changelog-findeo/", "refsource": "MISC", "url": "https://www.docs.purethemes.net/findeo/knowledge-base/changelog-findeo/"}, {"name": "https://wpscan.com/vulnerability/b8434eb2-f522-484f-9227-5f581e7f48a5", "refsource": "CONFIRM", "url": "https://wpscan.com/vulnerability/b8434eb2-f522-484f-9227-5f581e7f48a5"}, {"name": "https://m0ze.ru/vulnerability/[2021-03-20]-[WordPress]-[CWE-284]-Findeo-WordPress-Theme-v1.3.0.txt", "refsource": "MISC", "url": "https://m0ze.ru/vulnerability/[2021-03-20]-[WordPress]-[CWE-284]-Findeo-WordPress-Theme-v1.3.0.txt"}, {"name": "https://m0ze.ru/vulnerability/[2021-03-20]-[WordPress]-[CWE-284]-Realteo-WordPress-Plugin-v1.2.3.txt", "refsource": "MISC", "url": "https://m0ze.ru/vulnerability/[2021-03-20]-[WordPress]-[CWE-284]-Realteo-WordPress-Plugin-v1.2.3.txt"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:21:18.692Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.docs.purethemes.net/findeo/knowledge-base/changelog-findeo/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wpscan.com/vulnerability/b8434eb2-f522-484f-9227-5f581e7f48a5"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Findeo-WordPress-Theme-v1.3.0.txt"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Realteo-WordPress-Plugin-v1.2.3.txt"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24238", "datePublished": "2021-04-22T21:00:51", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2024-08-03T19:21:18.692Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:purethemes:findeo:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "156BF978-930B-4D4E-8F98-11D87C6EB2AF", "versionEndExcluding": "1.3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:purethemes:realteo:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "8682C4CD-462D-4C38-BCAC-A463C9FA5E14", "versionEndExcluding": "1.2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the property_id parameter."}, {"lang": "es", "value": "El plugin Realteo WordPress versiones anteriores a 1.2.4, usado por Findeo Theme, no garantizaba que la propiedad solicitada a eliminar perteneciera al usuario que realizaba la petici\u00f3n, lo que permit\u00eda a cualquier usuario autenticado eliminar propiedades arbitrarias alterando el par\u00e1metro property_id"}], "id": "CVE-2021-24238", "lastModified": "2023-11-07T03:31:08.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-22T21:15:09.797", "references": [{"source": "contact@wpscan.com", "url": "https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Findeo-WordPress-Theme-v1.3.0.txt"}, {"source": "contact@wpscan.com", "url": "https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Realteo-WordPress-Plugin-v1.2.3.txt"}, {"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/b8434eb2-f522-484f-9227-5f581e7f48a5"}, {"source": "contact@wpscan.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.docs.purethemes.net/findeo/knowledge-base/changelog-findeo/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-425"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "contact@wpscan.com", "type": "Secondary"}]}