CVE-2019-20209
Description
IDOR vulnerability in CTHthemes WordPress themes allows unauthenticated attackers to delete any page/post/listing via admin-ajax.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IDOR vulnerability in CTHthemes WordPress themes allows unauthenticated attackers to delete any page/post/listing via admin-ajax.php.
Vulnerability
The CTHthemes CityBook before 2.3.4 [1], TownHub before 1.0.6 [3], and EasyBook before 1.2.2 [2] WordPress themes contain an insecure direct object reference (IDOR) in wp-admin/admin-ajax.php. This allows deleting any page, post, or listing without proper authorization checks.
Exploitation
An attacker with a valid WordPress user session can send a crafted POST request to /wp-admin/admin-ajax.php with the appropriate action parameters and target object ID. For example, in TownHub, the action townhub_addons_delete_listing can be used to delete any listing [3]. No additional privileges beyond being logged in are required.
Impact
Successful exploitation allows the attacker to delete arbitrary pages, posts, or listings on the site, causing potential data loss and defacement. The attacker can delete content they should not have access to.
Mitigation
Update to the latest fixed versions: CityBook 2.3.4, TownHub 1.0.6, and EasyBook 1.2.2 or later. No other workarounds are documented. These themes may be end-of-life; contact CTHthemes for support.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- CTHthemes/CityBookdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check in the `citybook_addons_delete_listing` AJAX handler allows any authenticated user to delete arbitrary posts/pages/listings by supplying their numeric ID."
Attack vector
An authenticated attacker sends a POST request to `/wp-admin/admin-ajax.php` with `action=citybook_addons_delete_listing`, a `lid` parameter set to any WordPress post/page/listing ID, and the associated nonce [ref_id=1]. The attacker can discover valid target IDs from the `
Affected code
The vulnerability resides in the `citybook_addons_delete_listing` AJAX action handled in `wp-admin/admin-ajax.php` for the CityBook theme (and analogous actions in TownHub and EasyBook). The researcher's PoC shows the action accepts a `lid` parameter (the target post/page/listing ID) and a `_nonce`/`_wpnonce` parameter, but performs no ownership or capability check before deletion [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the fix requires adding an ownership or capability check inside the `citybook_addons_delete_listing` AJAX handler before performing the deletion. The theme vendor should verify that the current user either owns the listing identified by `lid` or has the `delete_posts` (or equivalent) capability. Versions CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 are affected [ref_id=1][ref_id=2].
Preconditions
- authAttacker must have an authenticated WordPress session (any role) on the target site.
- configThe target site must be running a vulnerable version of CityBook (< 2.3.4), TownHub (< 1.0.6), or EasyBook (< 1.2.2).
- inputThe attacker must know or guess the numeric ID of the target post/page/listing (discoverable from the page's body class).
Reproduction
1. Log in to the WordPress site as any authenticated user. 2. Obtain the numeric ID of the target post/page/listing (e.g., from the `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- cxsecurity.com/issue/WLB-2019120110mitrex_refsource_MISC
- cxsecurity.com/issue/WLB-2019120111mitrex_refsource_MISC
- cxsecurity.com/issue/WLB-2019120112mitrex_refsource_MISC
- themeforest.net/item/citybook-directory-listing-wordpress-theme/21694727mitrex_refsource_MISC
- themeforest.net/item/easybook-directory-listing-wordpress-theme/23206622mitrex_refsource_MISC
- themeforest.net/item/townhub-directory-listing-wordpress-theme/25019571mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/10013mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/10014mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/10018mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.