fkie_cve-2024-13307
Vulnerability from fkie_nvd
Published
2025-04-24 09:15
Modified
2025-04-29 13:52
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
The Reales WP - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'reales_delete_file', 'reales_delete_file_plans', 'reales_add_to_favourites', and 'reales_remove_from_favourites' functions in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to delete arbitrary attachments, and add or remove favorite property listings for any user.
References
security@wordfence.comhttps://themeforest.net/item/reales-wp-real-estate-wordpress-theme/10330568
security@wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/cb94caa4-35a4-4aa3-8d25-263bbd58072a?source=cve
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Reales WP - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the \u0027reales_delete_file\u0027, \u0027reales_delete_file_plans\u0027, \u0027reales_add_to_favourites\u0027, and \u0027reales_remove_from_favourites\u0027 functions in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to delete arbitrary attachments, and add or remove favorite property listings for any user."
    },
    {
      "lang": "es",
      "value": "El tema Reales WP - Real Estate WordPress Theme para WordPress es vulnerable a modificaciones no autorizadas y p\u00e9rdida de datos debido a la falta de comprobaci\u00f3n de las funciones \u0027reales_delete_file\u0027, \u0027reales_delete_file_plans\u0027, \u0027reales_add_to_favourites\u0027 y \u0027reales_remove_from_favourites\u0027 en todas las versiones hasta la 2.1.2 incluida. Esto permite a atacantes no autenticados eliminar archivos adjuntos arbitrarios y a\u00f1adir o eliminar propiedades favoritas de cualquier usuario."
    }
  ],
  "id": "CVE-2024-13307",
  "lastModified": "2025-04-29T13:52:47.470",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security@wordfence.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-04-24T09:15:28.607",
  "references": [
    {
      "source": "security@wordfence.com",
      "url": "https://themeforest.net/item/reales-wp-real-estate-wordpress-theme/10330568"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cb94caa4-35a4-4aa3-8d25-263bbd58072a?source=cve"
    }
  ],
  "sourceIdentifier": "security@wordfence.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security@wordfence.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.