CVE-2020-15363

CRITICAL

nexos < 1.7 - SQL Injection via search_order Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-15363.

AI-analyzed exploit summary The exploit demonstrates SQL Injection and Reflected XSS vulnerabilities in WordPress Theme NexosReal Estate 1.7. It includes functional PoC URLs and sqlmap commands to exploit the SQLi, along with a crafted XSS payload.

Description

The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection.

Exploits (1)

exploitdb WORKING POC

webappsphp

https://www.exploit-db.com/exploits/48682

View Code ZIP pw:eip

The exploit demonstrates SQL Injection and Reflected XSS vulnerabilities in WordPress Theme NexosReal Estate 1.7. It includes functional PoC URLs and sqlmap commands to exploit the SQLi, along with a crafted XSS payload.

Classification

Working Poc 95%

Attack Type

Sqli | Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress Theme NexosReal Estate 1.7

No auth needed

Prerequisites: WordPress with NexosReal Estate theme 1.7 installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Product, Third Party Advisory x_refsource_misc

https://themeforest.net/item/nexos-real-estate-agency-directory/21126242

Exploit, Third Party Advisory x_refsource_misc

https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-06-17-nexos-real-estate-wordpress-theme-v1-7.txt

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/158510/WordPress-NexosReal-Estate-Theme-1.7-Cross-Site-Scripting-SQL-Injection.html

Scores

CVSS v3 9.8

EPSS 0.0590

EPSS Percentile 92.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

nexos_project/nexos < 1.7

Published Jun 28, 2020

Tracked Since Feb 18, 2026