EUVD-2021-11152

Malware in sbrugna...

CVE-2025-2232

The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vulnerable to authentication bypass in all versions up to, and including, 1.2.8. This is due to insufficient role restrictions in the 'doregisteruser' function. This makes it possible for...

CVE-2021-24237

The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not properly sanitise the keywordsearch, searchradius. bedrooms and bathrooms GET parameters before outputting them in its properties page, leading to an unauthenticated reflected Cross-Site Scripting issue...

CVE-2021-24238

The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the propertyid parameter...

Design/Logic Flaw

The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the propertyid parameter...

Cross site scripting

The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not properly sanitise the keywordsearch, searchradius. bedrooms and bathrooms GET parameters before outputting them in its properties page, leading to an unauthenticated reflected Cross-Site Scripting issue...

CVE-2021-24238

The Realteo WordPress plugin (pre-1.2.4), used by the Findeo Theme, is vulnerable due to a missing ownership check when deleting a property. An authenticated user can tamper with the property_id parameter to delete properties belonging to others, enabling an IDOR-like impact. The issue is tied to...

CVE-2021-24238 Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR

The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the propertyid parameter...

Realteo < 1.2.4 - Unauthenticated Reflected Cross-Site Scripting (XSS)

The plugin, used by the Findeo Theme, did not properly sanitise the keywordsearch, searchradius. bedrooms and bathrooms GET parameters before outputting them in its properties page, leading to an unauthenticated reflected Cross-Site Scripting issue. PoC...

Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR

The plugin, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the propertyid parameter. PoC GET...

WordPress Findeo premium theme <= 1.2.6 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by m0ze Patchstack Red Team in WordPress Findeo premium theme versions = 1.2.6. Solution Update the WordPress Findeo premium theme to the latest available version at least 1.3.1...

WordPress Findeo premium theme <= 1.2.6 - Authenticated Insecure Direct Object References (IDOR) vulnerability

Authenticated Insecure Direct Object References IDOR vulnerability discovered by m0ze Patchstack Red Team in WordPress Findeo premium theme versions = 1.2.6. Solution Update the WordPress Findeo premium theme to the latest available version at least 1.3.1...