CVE-2024-13307
Reales WP - Real Estate WordPress Theme <= 2.1.2 - Missing Authorization to Unauthenticated Attachment Deletion and Favorite Property Updates
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Reales WP - Real Estate WordPress Theme <= 2.1.2 - Missing Authorization to Unauthenticated Attachment Deletion and Favorite Property Updates
The Reales WP - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'reales_delete_file', 'reales_delete_file_plans', 'reales_add_to_favourites', and 'reales_remove_from_favourites' functions in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to delete arbitrary attachments, and add or remove favorite property listings for any user.
Reserved 2025-01-09 | Published 2025-04-24 | Updated 2025-04-24 | Assigner Wordfence| 2025-04-23: | Disclosed |
Lucio Sá
www.wordfence.com/...-35a4-4aa3-8d25-263bbd58072a?source=cve
themeforest.net/...s-wp-real-estate-wordpress-theme/10330568
Support options
