Reality | Estate Multipurpose <= 2.3.0 - Multiple Persistent XSS



Description
----[]- Persistent XSS on any property page: -[]----
Vulnerable input fields:
1 - Description & Price -> «PRICE POSTFIX TEXT» and «SECOND PRICE POSTFIX TEXT»;
2 - Additional Information -> «TITLE» and «VALUE»;
3 - Location & Map -> «ADDRESS *».

Payload Sample: <img src=x onerror=(alert)(document.cookie)>


----[]- Persistent XSS on user profile page: -[]----
Vulnerable input fields:
Profile Information -> «OFFICE NUMBER», «MOBILE NUMBER» and «FAX NUMBER».

Payload Sample: "><script>alert('XSS');</script>


Edit (WPScanTeam):

The persistent XSS has been fixed for new submitted data, but existing payloads in the profile page will still be triggered.
Proof of Concept
----[]- Persistent XSS on any property page: -[]----
You need a new user account, then edit any existed property or create a new one.

Vulnerable input fields:
1 - Description & Price -> «PRICE POSTFIX TEXT» and «SECOND PRICE POSTFIX TEXT»;
2 - Additional Information -> «TITLE» and «VALUE»;
3 - Location & Map -> «ADDRESS *».

Payload Sample: <img src=x onerror=(alert)(document.cookie)>


----[]- Persistent XSS on user profile page: -[]----
http://reality.inwavethemes.com/dashboard/?tab=my-profile

Vulnerable input fields:
Profile Information -> «OFFICE NUMBER», «MOBILE NUMBER» and «FAX NUMBER».

Payload Sample: "><script>alert('XSS');</script>

Live example: http://reality.inwavethemes.com/author/asdasd/

Affects Theme

fixed in version 2.4.0

References

URL https://themeforest.net/item/reality-real-estate-wordpress-theme/21627776

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher subversa
Submitter subversa
Views 3167
Verified No
WPVDB ID 9905

Timeline

Publicly Published 2019-09-08 (2 months ago)
Added 2019-10-11 (about 1 month ago)
Last Updated 2019-10-14 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin