cbcvebase.
CVE-2021-24237
published 2021-04-22

CVE-2021-24237: The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not properly sanitise the keyword_search, search_radius. _bedrooms and _bathrooms GET…

PriorityP342medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
6.30%
92.7th percentile
The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not properly sanitise the keyword_search, search_radius. _bedrooms and _bathrooms GET parameters before outputting them in its properties page, leading to an unauthenticated reflected Cross-Site Scripting issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
purethemesfindeo< 1.3.11.3.1
purethemesfindeo>= 1.3.1 < 1.3.11.3.1
purethemesrealteo< 1.2.41.2.4
purethemesrealteo>= 1.2.4 < 1.2.41.2.4

Detection & IOCsextracted from sources · hover to see the quote

url/properties/?keyword_search=--!%3E%22%20autofocus%20onfocus%3Dalert(/{{randstr}}/)%3B%2F%2F
path/properties/
  • Look for reflected XSS payload in HTTP response body containing 'autofocus onfocus=alert(...)' alongside the string 'Nothing found' — both must be present for a confirmed hit.
  • Exploit is unauthenticated and delivered via GET request to /properties/ endpoint; no session or authentication cookie is required.
  • Monitor GET parameters keyword_search, search_radius, _bedrooms, and _bathrooms on the /properties/ path for unsanitised/unencoded script injection patterns.
  • Response Content-Type must be text/html and HTTP status 200 to confirm the vulnerable endpoint is active.
  • ·Vulnerability affects Realteo WordPress plugin versions prior to 1.2.4; version 1.2.4 includes the fix. Confirm plugin version before triaging alerts.
  • ·The plugin is used by the Findeo Theme; detections should also account for sites running the Findeo Theme (CPE: cpe:2.3:a:purethemes:findeo:*:*:*:*:*:wordpress:*:*).

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.