The Essential WP Real Estate plugin for WordPress, developed by smartdatasoft, suffers from a vulnerability identified as CVE-2024-13318, categorized under CWE-463 (Deletion of Data Structure Sentinel). This vulnerability exists because the cl_delete_listing_func() function lacks a proper capability check, which is a security control that verifies whether a user has the necessary permissions to perform a certain action. As a result, unauthenticated attackers can invoke this function remotely to delete arbitrary pages and posts within the WordPress site. The vulnerability affects all versions of the plugin up to and including version 1.1.3. The CVSS v3.1 base score is 5.3, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). This means the attacker can exploit the vulnerability remotely without authentication or user interaction, but the impact is limited to integrity by unauthorized deletion of content. No patches or fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability poses a risk to website content integrity, potentially leading to loss of important pages or posts, which can disrupt business operations and damage trust in the affected websites.

The primary impact of CVE-2024-13318 is on the integrity of website content managed by the Essential WP Real Estate plugin. Unauthorized deletion of pages and posts can result in loss of critical business data, disruption of website functionality, and damage to the reputation of organizations relying on the plugin for real estate listings. Although confidentiality and availability are not directly affected, the unauthorized modification of content can lead to operational challenges, loss of customer trust, and potential financial losses, especially for businesses that depend heavily on their online presence for sales and customer engagement. Since the vulnerability can be exploited without authentication or user interaction, the risk of automated or mass exploitation exists once exploit code becomes publicly available. Organizations with multiple WordPress sites using this plugin may face widespread impact. The lack of current known exploits provides a window for proactive mitigation, but the ease of exploitation and potential for significant content disruption make this a notable threat.

1. Monitor for official patches or updates from smartdatasoft and apply them immediately once available to address the missing capability check. 2. Until a patch is released, restrict access to the WordPress admin area and plugin endpoints using web application firewalls (WAFs) or IP whitelisting to block unauthorized requests targeting the cl_delete_listing_func() function. 3. Implement strict user role and capability management within WordPress to minimize exposure, ensuring only trusted users have permissions to delete listings. 4. Enable detailed logging and monitoring of deletion activities to detect suspicious or unauthorized deletion attempts promptly. 5. Consider temporarily disabling or uninstalling the Essential WP Real Estate plugin if the risk outweighs operational needs until a secure version is available. 6. Regularly back up website content and database to enable quick restoration in case of unauthorized deletions. 7. Conduct security audits and vulnerability scans focusing on WordPress plugins to identify similar issues proactively. 8. Educate site administrators about the risk and signs of exploitation to improve incident response readiness.