Selio – Real Estate Directory <= 1.1 – SQL Injection & Persistent XSS

Description

----[]- SQL Injection: -[]----
Vulnerable 'id' parameter is https://listing-themes.com/selio-wp/wp-admin/admin.php?page=ownlisting_addlisting&id=21

----[]- Persistent XSS: -[]----
You need a new user account, then go to any property listing on the website and use 'ENQUIRY FORM' on the right sidebar. Or you can press the 'REPORT LISTING' button on any property page and use your payload inside the «Message» text box.

Edit (WPscanTeam) - This has been hot fixed in v1.1 on September 9th, 2019, so there are two v1.1 out there, one with the issues, and one with the fixes. As a result, the fixed in has been set to 1.1.1 (which does not exist yet, but once a new version is released, the issue won't be displayed anymore)

Proof of Concept

----[]- SQL Injection: -[]----
You need a new user account (agent:agent on the demo website), then use the sqlmap (with --cookie option):

sqlmap --url="https://listing-themes.com/selio-wp/wp-admin/admin.php?page=ownlisting_addlisting&id=21" --cookie="wordpress_logged_in_0123456789=agent%7C1a2b3c4d5e6f7g8h9i0j; wordpress_sec_0123456789=agent%7C0a1b2c3d4e5f6g7h8i9j" --dbs -D geniuscr_selio --tables


----[]- Persistent XSS: -[]----
You need a new user account, then go to any property listing on the website and use «ENQUIRY FORM» on the right sidebar. Vulnerable text area is «Message». Injection will trigger on the https://listing-themes.com/selio-wp/wp-admin/admin.php?page=ownlisting_messages page many times for any basic user.

Or you can press the «REPORT LISTING» button on any property page and use your payload inside the «Message» text box. Injection will trigger on the https://listing-themes.com/selio-wp/wp-admin/admin.php?page=listing_reports page when administrator will be online.