Zoner <= 4.1.1 - Persistent XSS & IDOR

----[]- Persistent XSS: -[]----
«Address» input field on the «Local information» block is vulnerable so you can use your payload to steal admin cookies or do some redirects etc.

----[]- IDOR: -[]----
POST request (where XXX is page or post ID and YYY is account security code) will delete any page or post you want.

Edit (WPScanTeam) - Theme is still affected
October 11th, 2019 - Contacted Envato
October 14th - Envato Investigating
November 3rd - No updates, disclosing
Proof of Concept
----[]- Persistent XSS: -[]----
Create a new agent account, log in and add new property ( , where XXXX is your author ID). Use your payload inside «Address» input field («Local information» block), press on the «Create Property» button and check your payload on the page. Your new property must be approved by admin, so this is a good point to steal some cookies :)

Payload Sample: "><img src=x onerror=alert('Greetings from m0ze');window.location.replace('');>

PoC: log in as agentm0ze:WhgZbOUH (login/password) and go to the page.

----[]- IDOR: -[]----
Create a new agent account and then create a new property. Then go to the page and pay attention to the trash icon under your property info. Open the developers console and check out this code: <a title="Delete Property" href="#" data-toggle="modal" class="delete-property" data-propertyid="XXX"><i class="delete fa fa-trash-o"></i></a>. Edit the data-propertyid="XXX" attribute by typing instead of XXX desired post or page ID which you want to delete (you can get post/page ID on the <body> tag class -> postid-494, so attribute for post with ID 494 will be data-propertyid="494"). After you edit the ID, click on the trash icon and confirm deletion (POST Funny fact that you can delete ANY post & page (!) you want, security key is not unique for each requests so it's possible to erase all pages and posts within a few minutes.

Affects Theme

no known fix


ExploitDB 47436


Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)


Original Researcher m0ze
Submitter m0ze
Submitter Twitter m0ze_ru
Views 10952
Verified No


Publicly Published 2019-09-27 (10 months ago)
Added 2019-11-03 (8 months ago)
Last Updated 2019-11-28 (8 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin