Realteo < 1.2.4 - Unauthenticated Reflected Cross-Site Scripting (XSS)
CVE-2021-24237

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
Realteo
Findeo
Vendor
CVE Published:
22 April 2021

Summary

The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not properly sanitise the keyword_search, search_radius. _bedrooms and _bathrooms GET parameters before outputting them in its properties page, leading to an unauthenticated reflected Cross-Site Scripting issue.

Affected Version(s)

Findeo 1.3.1

Realteo 1.2.4

References

https://wpscan.com/vulnerability/087b27c4-289e-410f-af74-...
x_refsource_CONFIRM
https://www.docs.purethemes.net/findeo/knowledge-base/cha...
x_refsource_MISC
https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPre...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

m0ze
.