Nexos - Real Estate < 1.8 - Unauthenticated Reflected XSS & SQL Injection



Description
Unauthenticated Reflected XSS and SQL Injection vulnerabilities were discovered in the «Nexos - Real Estate WordPress Theme», tested version — v1.7.

June 17th, 2020 - Confirmed & Escalated to Envato.
June 19th, 2020 - v1.8 released. Fixing the issues.
Proof of Concept The PoC will be displayed on July 12, 2020, to give users the time to update.

Affects Theme

fixed in version 1.8

References

CVE 2020-15363
CVE 2020-15364
URL https://themeforest.net/item/nexos-real-estate-agency-directory/21126242

Classification

Type MULTI

Miscellaneous

Original Researcher Vlad Vector
Submitter VLΛD VΞCTOR
Submitter Website https://vladvector.ru
Submitter Twitter vlad_vector
Views 433
Verified Yes
WPVDB ID 10285

Timeline

Publicly Published 2020-06-28 (11 days ago)
Added 2020-06-28 (11 days ago)
Last Updated 2020-06-29 (10 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin