Zoner <= 4.1.1 - Persistent XSS & IDOR



Description
----[]- Persistent XSS: -[]----
«Address» input field on the «Local information» block is vulnerable so you can use your payload to steal admin cookies or do some redirects etc.


----[]- IDOR: -[]----
POST request https://zoner.fruitfulcode.com/wp-admin/admin-ajax.php?action=delete_property_act&property_id=XXX&security=YYY (where XXX is page or post ID and YYY is account security code) will delete any page or post you want.


Edit (WPScanTeam) - Theme is still affected
October 11th, 2019 - Contacted Envato
October 14th - Envato Investigating
November 3rd - No updates, disclosing
Proof of Concept
----[]- Persistent XSS: -[]----
Create a new agent account, log in and add new property (https://zoner.fruitfulcode.com/?add-property=XXXX , where XXXX is your author ID). Use your payload inside «Address» input field («Local information» block), press on the «Create Property» button and check your payload on the https://zoner.fruitfulcode.com/author/your_login/?profile-page=my_properties page. Your new property must be approved by admin, so this is a good point to steal some cookies :)

Payload Sample: "><img src=x onerror=alert('Greetings from m0ze');window.location.replace('http://defcon.su');>

PoC: log in as agentm0ze:WhgZbOUH (login/password) and go to the https://zoner.fruitfulcode.com/author/agentm0ze/?profile-page=my_properties page.


----[]- IDOR: -[]----
Create a new agent account and then create a new property. Then go to the https://zoner.fruitfulcode.com/author/your_login/?profile-page=my_properties page and pay attention to the trash icon under your property info. Open the developers console and check out this code: <a title="Delete Property" href="#" data-toggle="modal" class="delete-property" data-propertyid="XXX"><i class="delete fa fa-trash-o"></i></a>. Edit the data-propertyid="XXX" attribute by typing instead of XXX desired post or page ID which you want to delete (you can get post/page ID on the <body> tag class -> postid-494, so attribute for post with ID 494 will be data-propertyid="494"). After you edit the ID, click on the trash icon and confirm deletion (POST https://zoner.fruitfulcode.com/wp-admin/admin-ajax.php?action=delete_property_act&property_id=494&security=1304db23f0). Funny fact that you can delete ANY post & page (!) you want, security key is not unique for each requests so it's possible to erase all pages and posts within a few minutes.

Affects Theme

References

EXPLOITDB 47436
URL https://themeforest.net/item/zoner-real-estate-wordpress-theme/9099226

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher m0ze
Submitter m0ze
Submitter Website https://m0ze.ru
Submitter Twitter m0ze_ru
Views 1152
Verified No
WPVDB ID 9934

Timeline

Publicly Published 2019-09-27 (about 2 months ago)
Added 2019-11-03 (16 days ago)
Last Updated 2019-11-03 (16 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin