Real Estate 7 <= 2.9.0 - Stored XSS & IDOR



Description
The «Real Estate 7» premium WordPress theme is vulnerable to persistent XSS injection that allows an attacker to inject JavaScript or HTML code into the website front-end. There is also an Insecure Direct Object Reference issue, allowing unauthorised users to edit listings they should not have access to.

Demo Website:
- Frontend: https://contempothemes.com/wp-real-estate-7/multi-demo/
- Backend: https://contempothemes.com/wp-real-estate-7/multi-demo/dashboard/
- Login / Password: m0ze / asdasd (or register a new account)
Proof of Concept
PoC [Persistent XSS Injection]:
Register a new account as a seller or agent, log in and choose free membership package @ the dashboard. After that you'll be able to submit a new listing -> https://contempothemes.com/wp-real-estate-7/multi-demo/submit-listing/
For persistent XSS injection you need to add your payload inside the «Vitrual Tour Embed» text area (on the «DETAILS» step) and then press «Submit» button.
Example: <img src="x" onerror="(alert)(`m0ze`)">

Live example (Login / Password: m0ze / asdasd): https://contempothemes.com/wp-real-estate-7/multi-demo/?post_type=listings&p=5107

Affects Theme

fixed in version 2.9.1

References

EXPLOITDB 47184
PACKETSTORM 153802
URL https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778

Classification

Type MULTI

Miscellaneous

Original Researcher m0ze
Submitter m0ze
Submitter Twitter m0ze_ru
Views 6340
Verified Yes
WPVDB ID 9492

Timeline

Publicly Published 2019-07-29 (4 months ago)
Added 2019-08-03 (3 months ago)
Last Updated 2019-08-20 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin