Selio - Real Estate Directory <= 1.1 - SQL Injection & Persistent XSS



Description
----[]- SQL Injection: -[]----
Vulnerable 'id' parameter is https://listing-themes.com/selio-wp/wp-admin/admin.php?page=ownlisting_addlisting&id=21


----[]- Persistent XSS: -[]----
You need a new user account, then go to any property listing on the website and use «ENQUIRY FORM» on the right sidebar. Or you can press the «REPORT LISTING» button on any property page and use your payload inside the «Message» text box.

Edit (WPscanTeam) - This has been hot fixed in v1.1 on September 9th, 2019, so there are two v1.1 out there, one with the issues, and one with the fixes. As a result, the fixed in has been set to 1.1.1 (which does not exist yet, but once a new version is released, the issue won't be displayed anymore)
Proof of Concept
----[]- SQL Injection: -[]----
You need a new user account (agent:agent on the demo website), then use the sqlmap (with --cookie option):

sqlmap --url="https://listing-themes.com/selio-wp/wp-admin/admin.php?page=ownlisting_addlisting&id=21" --cookie="wordpress_logged_in_0123456789=agent%7C1a2b3c4d5e6f7g8h9i0j; wordpress_sec_0123456789=agent%7C0a1b2c3d4e5f6g7h8i9j" --dbs -D geniuscr_selio --tables


----[]- Persistent XSS: -[]----
You need a new user account, then go to any property listing on the website and use «ENQUIRY FORM» on the right sidebar. Vulnerable text area is «Message». Injection will trigger on the https://listing-themes.com/selio-wp/wp-admin/admin.php?page=ownlisting_messages page many times for any basic user.

Or you can press the «REPORT LISTING» button on any property page and use your payload inside the «Message» text box. Injection will trigger on the https://listing-themes.com/selio-wp/wp-admin/admin.php?page=listing_reports page when administrator will be online.

Affects Theme

fixed in version 1.1.1

References

URL https://themeforest.net/item/selio-real-estate-wordpress-theme/23638400

Classification

Type MULTI

Miscellaneous

Original Researcher subversa
Submitter subversa
Views 1788
Verified No
WPVDB ID 9888

Timeline

Publicly Published 2019-09-08 (about 1 month ago)
Added 2019-09-25 (26 days ago)
Last Updated 2019-10-14 (7 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin