WordPress Real Estate 7 premium theme <= 3.1.0 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

realestate-7

Software
Real Estate 7
Versions
<= 3.1.0
Disclosure date
2021-06-03
CVE
CVE-N/A
References
Classification
Cross Site Scripting (XSS)
OWASP Top 10
A7: Cross-Site Scripting (XSS)
CVSS 3.0 score

7.2

High

Can be exploited remotely without any authentication.

Are your websites subject to this vulnerability?

Details

Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by m0ze (Patchstack Red Team) in WordPress Real Estate 7 premium theme (versions <= 3.1.0). Vulnerable parameter: "&ct_community=".

Solution

Update the WordPress Real Estate 7 premium theme to the latest available version (at least 3.1.1). Changelog still doesn't show the latest version, but according to the research author issue is solved, and the patched version has a 3.1.1 number.

Found a vulnerability that puts your sites at risk?

Found a vulnerability? Help us secure the web and join our community of ethical hackers.

Are you the developer of this software? Hire our researchers for a thorough security audit.