Zoner - Real Estate WordPress Theme v4.1.1 Persistent XSS & IDOR

ru m0ze (RU) ru
Risk: Low
Local: No
Remote: Yes

# Exploit Title: Zoner - Real Estate WordPress Theme v4.1.1 Persistent XSS & IDOR # Google Dork: inurl:/wp-content/themes/zoner/ # Date: 24/09/2019 # Exploit Author: m0ze # Vendor Homepage: # Software Link: # Version: 4.1.1 # Tested on: Parrot OS # CVE : - # CWE : 79 ----[]- Persistent XSS: -[]---- You need a new agent account, log in and press the blue «Plus» button under the main menu («Add Your Property» text will pop-up on hover) - you will be redirected to page. Use your payload inside «Address» input field («Local information» block), press on the «Create Property» button and check your payload on the page. Your new property must be approved by admin, so this is a good point to steal some cookies :) Payload Sample: "><img src=x onerror=alert('Greetings from m0ze');window.location.replace('');> PoC: log in as agentm0ze:WhgZbOUH (login/password) and go to the page. ----[]- IDOR: -[]---- You need a new agent account, log in and create a new property. Then go to the page and pay attention to the trash icon under your property info. Open the developers console and check out this code: <a title="Delete Property" href="#" data-toggle="modal" class="delete-property" data-propertyid="XXX"><i class="delete fa fa-trash-o"></i></a>. Edit the data-propertyid="XXX" attribute by typing instead of XXX desired post or page ID which you want to delete (you can get post/page ID on the <body> tag class -> postid-494, so attribute for post with ID 494 will be data-propertyid="494"). After you edit the ID, click on the trash icon and confirm deletion (POST Funny fact that you can delete ANY post & page (!) you want, security key is not unique for each requests so it's possible to erase all pages and posts within a few minutes.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020,


Back to Top