Themes Vulnerabilities

Nexos - Real Estate < 1.8 - Unauthenticated Reflected XSS & SQL Injection

Description

Unauthenticated Reflected XSS and SQL Injection vulnerabilities were discovered in the «Nexos - Real Estate WordPress Theme», tested version — v1.7.

June 17th, 2020 - Confirmed & Escalated to Envato.
June 19th, 2020 - v1.8 released. Fixing the issues.

Proof of Concept

Affects Themes

nexos
Fixed in 1.8

References

CVE
CVE-2020-15363
CVE
CVE-2020-15364
URL
https://themeforest.net/item/nexos-real-estate-agency-directory/21126242

Miscellaneous

Original Researcher
Vlad Vector
Submitter
VLΛD VΞCTOR
Submitter website
https://vladvector.ru
Submitter twitter
vlad_vector
Verified
Yes
WPVDB ID
80e462ca-41f9-4805-bb85-449f2045cfbb

Timeline

Publicly Published
2020-06-28 (about 5 years ago)
Added
2020-06-28 (about 5 years ago)
Last Updated
2020-06-29 (about 5 years ago)

Other

Published
Title
Published
2017-05-31
Title
Simple Slideshow Manager <= 2.3 – Multiple Vulnerabilities
Published
2024-01-17
Title
popup-builder < 4.2.6 - Admin+ SSRF & File Read
Published
2016-04-05
Title
WP Customer Reviews < 3.0.9 - CSRF & XSS
Published
2018-11-15
Title
Slideshow Gallery <= 1.6.8 - XSS and SQLi
Published
2014-09-17
Title
Ready! Ecommerce 0.5.0 - CSRF & XSS