WordPress Theme Real Estate 2.8.9 - Cross-Site Scripting - 黑帽漏洞数据库

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

赤队小组-代号1949（原CHT攻防小组）在这个瞬息万变的网络时代，我们保持初心，创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识，您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告，请注册用户查看我们的使用与隐私策略，谢谢您的配合。小组成员可以获取论坛隐藏内容！

TheHackerWorld官方

发布于2022年11月4日2年前

# Exploit Title: Real Estate 7 - Real Estate WordPress Theme v2.8.9
Persistent XSS Injection
# Google Dork: inurl:"/wp-content/themes/realestate-7/"
# Date: 2019/07/20
# Author: m0ze
# Vendor Homepage: https://contempothemes.com
# Software Link: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
# Version: <= 2.8.9
# Tested on: NginX
# CVE: -
# CWE: CWE-79

Details & Description:
The «Real Estate 7» premium WordPress theme is vulnerable to persistent XSS
injection that allows an attacker to inject JavaScript or HTML code into
the website front-end.

Special Note:
- 7.151 Sales
- If pre moderation is enabled, then u have a huge chance to steal an admin
or moderator cookies.
- U can edit any existed listing on the website by changing the unique ID
-> https://site.com/edit-listing/?listings=XXX (where XXX is WordPress post
ID, u can find it inside <body> tag class).

PoC [Persistent XSS Injection]:
First of all, register a new account as a seller or agent, log in and
choose free membership package @ the dashboard. After that u'll be able to
submit a new listing -> https://site.com/submit-listing/
For persistent XSS injection u need to add ur payload inside the «Vitrual
Tour Embed» text area (on the «DETAILS» step) and then press «Submit»
button.
Example: <img src="x" onerror="(alert)(`m0ze`)">

登录

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

WordPress Theme Real Estate 2.8.9 - Cross-Site Scripting

精选回复

创建帐户或登录后发表意见

最近浏览 0

帐户

导航

搜索