Skip to main content

Direct Request ('Forced Browsing')

CVE-2021-24238

Severity Medium
Score 6.5/10

Summary

The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the property_id parameter.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • LOW
  • NONE
  • NONE

CWE-425 - Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

References

Advisory Timeline

  • Published