Themes Vulnerabilities
Reality < 2.4.0 - Multiple Persistent XSS
Description
----[]- Persistent XSS on any property page: -[]----
Vulnerable input fields:
1 - Description & Price -> 'PRICE POSTFIX TEXT' and 'SECOND PRICE POSTFIX TEXT';
2 - Additional Information -> 'TITLE' and 'VALUE';
3 - Location & Map -> 'ADDRESS *'.
Payload Sample: <img src=x onerror=(alert)(document.cookie)>
----[]- Persistent XSS on user profile page: -[]----
Vulnerable input fields:
Profile Information -> 'OFFICE NUMBER', 'MOBILE NUMBER' and 'FAX NUMBER'.
Payload Sample: "><script>alert('XSS');</script>
Edit (WPScanTeam):
The persistent XSS has been fixed for new submitted data, but existing payloads in the profile page will still be triggered.
Proof of Concept
----[]- Persistent XSS on any property page: -[]----
You need a new user account, then edit any existed property or create a new one.
Vulnerable input fields:
1 - Description & Price -> «PRICE POSTFIX TEXT» and «SECOND PRICE POSTFIX TEXT»;
2 - Additional Information -> «TITLE» and «VALUE»;
3 - Location & Map -> «ADDRESS *».
Payload Sample: <img src=x onerror=(alert)(document.cookie)>
----[]- Persistent XSS on user profile page: -[]----
http://reality.inwavethemes.com/dashboard/?tab=my-profile
Vulnerable input fields:
Profile Information -> «OFFICE NUMBER», «MOBILE NUMBER» and «FAX NUMBER».
Payload Sample: "><script>alert('XSS');</script>
Live example: http://reality.inwavethemes.com/author/asdasd/
Affects Themes
Fixed in 2.4.0 References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
subversa
Submitter
subversa
Verified
No
WPVDB ID
Timeline
Publicly Published
2019-09-08 (about 4 years ago)
Added
2019-10-11 (about 4 years ago)
Last Updated
2021-01-19 (about 3 years ago)
WPScan 