CVE-2020-15364
MEDIUMnexos < 1.7 - Cross-Site Scripting via search_location Parameter
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2020-15364. PoCs published by Vlad Vector.
AI-analyzed exploit summary This exploit demonstrates SQL injection and reflected XSS vulnerabilities in WordPress Theme NexosReal Estate 1.7. It includes PoC URLs and sqlmap commands to exploit the SQLi vulnerability in the 'search_order' parameter.
Description
The Nexos theme through 1.7 for WordPress allows top-map/?search_location= reflected XSS.
Exploits (1)
exploitdb
WORKING POC
by Vlad Vector · textwebappsphp
https://www.exploit-db.com/exploits/48682
This exploit demonstrates SQL injection and reflected XSS vulnerabilities in WordPress Theme NexosReal Estate 1.7. It includes PoC URLs and sqlmap commands to exploit the SQLi vulnerability in the 'search_order' parameter.
Classification
Working Poc 95%
Attack Type
Sqli | Xss
Complexity
Trivial
Reliability
Reliable
Target:
WordPress Theme NexosReal Estate 1.7
No auth needed
Prerequisites:
Access to the vulnerable WordPress theme
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (3)
Core 3
Core References
Product, Third Party Advisory x_refsource_misc
https://themeforest.net/item/nexos-real-estate-agency-directory/21126242
Exploit, Third Party Advisory x_refsource_misc
https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-06-17-nexos-real-estate-wordpress-theme-v1-7.txt
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/158510/WordPress-NexosReal-Estate-Theme-1.7-Cross-Site-Scripting-SQL-Injection.html
Scores
CVSS v3
6.1
EPSS
0.0373
EPSS Percentile
88.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
nexos_project/nexos
< 1.7
Published
Jun 28, 2020
Tracked Since
Feb 18, 2026