CVE-2024-13307 (GCVE-0-2024-13307)
Vulnerability from cvelistv5
Published
2025-04-24 08:23
Modified
2025-04-24 13:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Reales WP - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'reales_delete_file', 'reales_delete_file_plans', 'reales_add_to_favourites', and 'reales_remove_from_favourites' functions in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to delete arbitrary attachments, and add or remove favorite property listings for any user.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pixel_prime | Reales WP - Real Estate WordPress Theme |
Version: * ≤ 2.1.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13307",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T12:53:15.499377Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T13:06:38.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Reales WP - Real Estate WordPress Theme",
"vendor": "pixel_prime",
"versions": [
{
"lessThanOrEqual": "2.1.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Reales WP - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the \u0027reales_delete_file\u0027, \u0027reales_delete_file_plans\u0027, \u0027reales_add_to_favourites\u0027, and \u0027reales_remove_from_favourites\u0027 functions in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to delete arbitrary attachments, and add or remove favorite property listings for any user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T08:23:51.329Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cb94caa4-35a4-4aa3-8d25-263bbd58072a?source=cve"
},
{
"url": "https://themeforest.net/item/reales-wp-real-estate-wordpress-theme/10330568"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-23T19:41:25.000+00:00",
"value": "Disclosed"
}
],
"title": "Reales WP - Real Estate WordPress Theme \u003c= 2.1.2 - Missing Authorization to Unauthenticated Attachment Deletion and Favorite Property Updates"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13307",
"datePublished": "2025-04-24T08:23:51.329Z",
"dateReserved": "2025-01-09T20:07:48.886Z",
"dateUpdated": "2025-04-24T13:06:38.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-13307\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2025-04-24T09:15:28.607\",\"lastModified\":\"2025-04-29T13:52:47.470\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Reales WP - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the \u0027reales_delete_file\u0027, \u0027reales_delete_file_plans\u0027, \u0027reales_add_to_favourites\u0027, and \u0027reales_remove_from_favourites\u0027 functions in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to delete arbitrary attachments, and add or remove favorite property listings for any user.\"},{\"lang\":\"es\",\"value\":\"El tema Reales WP - Real Estate WordPress Theme para WordPress es vulnerable a modificaciones no autorizadas y p\u00e9rdida de datos debido a la falta de comprobaci\u00f3n de las funciones \u0027reales_delete_file\u0027, \u0027reales_delete_file_plans\u0027, \u0027reales_add_to_favourites\u0027 y \u0027reales_remove_from_favourites\u0027 en todas las versiones hasta la 2.1.2 incluida. Esto permite a atacantes no autenticados eliminar archivos adjuntos arbitrarios y a\u00f1adir o eliminar propiedades favoritas de cualquier usuario.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://themeforest.net/item/reales-wp-real-estate-wordpress-theme/10330568\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/cb94caa4-35a4-4aa3-8d25-263bbd58072a?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-13307\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-24T12:53:15.499377Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-24T13:04:09.592Z\"}}], \"cna\": {\"title\": \"Reales WP - Real Estate WordPress Theme \u003c= 2.1.2 - Missing Authorization to Unauthenticated Attachment Deletion and Favorite Property Updates\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Lucio S\\u00e1\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"pixel_prime\", \"product\": \"Reales WP - Real Estate WordPress Theme\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.1.2\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-04-23T19:41:25.000+00:00\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/cb94caa4-35a4-4aa3-8d25-263bbd58072a?source=cve\"}, {\"url\": \"https://themeforest.net/item/reales-wp-real-estate-wordpress-theme/10330568\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Reales WP - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the \u0027reales_delete_file\u0027, \u0027reales_delete_file_plans\u0027, \u0027reales_add_to_favourites\u0027, and \u0027reales_remove_from_favourites\u0027 functions in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to delete arbitrary attachments, and add or remove favorite property listings for any user.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2025-04-24T08:23:51.329Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-13307\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-24T13:06:38.574Z\", \"dateReserved\": \"2025-01-09T20:07:48.886Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2025-04-24T08:23:51.329Z\", \"assignerShortName\": \"Wordfence\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…