CVE-2024-13307 affects the Reales WP - Real Estate WordPress Theme developed by pixel_prime, specifically all versions up to and including 2.1.2. The vulnerability arises due to missing authorization checks (CWE-862) in several critical functions: 'reales_delete_file', 'reales_delete_file_plans', 'reales_add_to_favourites', and 'reales_remove_from_favourites'. These functions are responsible for deleting attachments and managing users' favorite property listings. Because the theme fails to verify whether the requester has the necessary permissions before executing these actions, unauthenticated attackers can exploit this flaw to delete arbitrary attachments from the site and alter favorite listings for any user. This unauthorized modification can lead to data loss and manipulation of user preferences, undermining the integrity of the affected website's data. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. However, it does not allow attackers to access confidential information or disrupt site availability. No patches have been officially released at the time of this report, and no known exploits have been observed in the wild. The CVSS v3.1 base score is 5.3, indicating medium severity, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The issue was reserved by Wordfence and enriched by CISA, highlighting its recognition by security authorities.

The primary impact of CVE-2024-13307 is unauthorized modification of website data, specifically the deletion of attachments and manipulation of user favorite listings. For organizations using the Reales WP theme, this can result in loss of critical media files, disruption of user experience, and potential reputational damage due to data tampering. Although confidentiality and availability are not directly affected, the integrity breach can undermine trust in the website and its data. Real estate websites rely heavily on accurate listings and media attachments; unauthorized deletions or changes can cause operational disruptions and user dissatisfaction. Attackers could exploit this vulnerability to remove marketing images, property photos, or other attachments, impacting business operations. The lack of authentication requirement and ease of exploitation increase the risk of automated attacks or mass exploitation attempts. While no exploits are currently known in the wild, the vulnerability's presence in a popular WordPress theme makes it a likely target for attackers seeking to deface or disrupt real estate websites globally.

1. Immediately update the Reales WP theme to a patched version once available from the vendor. Monitor vendor channels for official patches. 2. Until a patch is released, implement strict web application firewall (WAF) rules to block unauthorized requests targeting the vulnerable functions, especially those attempting to invoke 'reales_delete_file' and related endpoints. 3. Restrict access to administrative and theme-related endpoints by IP whitelisting or VPN access to reduce exposure. 4. Conduct a thorough audit of attachments and user favorites to detect any unauthorized changes or deletions. 5. Employ WordPress security plugins that enforce capability checks and monitor for suspicious activity. 6. Regularly back up website data, including attachments and user settings, to enable recovery from unauthorized deletions. 7. Educate site administrators on the risks of using outdated themes and the importance of timely updates. 8. Review and harden WordPress user roles and permissions to minimize potential damage from compromised accounts. These measures go beyond generic advice by focusing on immediate protective controls and operational readiness until vendor patches are available.