Reality < 2.4.0 – Multiple Persistent XSS

Description

----[]- Persistent XSS on any property page: -[]----
Vulnerable input fields:
1 - Description & Price -> 'PRICE POSTFIX TEXT' and 'SECOND PRICE POSTFIX TEXT';
2 - Additional Information -> 'TITLE' and 'VALUE';
3 - Location & Map -> 'ADDRESS *'.

Payload Sample: <img src=x onerror=(alert)(document.cookie)>

----[]- Persistent XSS on user profile page: -[]----
Vulnerable input fields:
Profile Information -> 'OFFICE NUMBER', 'MOBILE NUMBER' and 'FAX NUMBER'.

Payload Sample: "><script>alert('XSS');</script>

Edit (WPScanTeam):

The persistent XSS has been fixed for new submitted data, but existing payloads in the profile page will still be triggered.

Proof of Concept

----[]- Persistent XSS on any property page: -[]----
You need a new user account, then edit any existed property or create a new one.

Vulnerable input fields:
1 - Description & Price -> «PRICE POSTFIX TEXT» and «SECOND PRICE POSTFIX TEXT»;
2 - Additional Information -> «TITLE» and «VALUE»;
3 - Location & Map -> «ADDRESS *».

Payload Sample: <img src=x onerror=(alert)(document.cookie)>


----[]- Persistent XSS on user profile page: -[]----
http://reality.inwavethemes.com/dashboard/?tab=my-profile

Vulnerable input fields:
Profile Information -> «OFFICE NUMBER», «MOBILE NUMBER» and «FAX NUMBER».

Payload Sample: "><script>alert('XSS');</script>

Live example: http://reality.inwavethemes.com/author/asdasd/