CVE-2021-24237
MEDIUM NUCLEIFindeo and Realteo < 1.3.1 and < 1.2.4 - Unauthenticated Reflected Cross-Site Scripting via GET Parameters
Title source: llmExploitation Summary
CVE-2021-24237 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not properly sanitise the keyword_search, search_radius. _bedrooms and _bathrooms GET parameters before outputting them in its properties page, leading to an unauthenticated reflected Cross-Site Scripting issue.
Nuclei Templates (1)
WordPress Realteo <=1.2.3 - Cross-Site Scripting
MEDIUMby 0x_Akoko
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/087b27c4-289e-410f-af74-828a608a4e1e
Release Notes, Vendor Advisory x_refsource_misc
https://www.docs.purethemes.net/findeo/knowledge-base/changelog-findeo/
Various Sources x_refsource_misc
https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-79%5D-Findeo-WordPress-Theme-v1.3.0.txt
Various Sources x_refsource_misc
https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-79%5D-Realteo-WordPress-Plugin-v1.2.3.txt
Scores
CVSS v3
6.1
EPSS
0.0630
EPSS Percentile
92.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
purethemes/findeo
< 1.3.1
purethemes/realteo
< 1.2.4
Published
Apr 22, 2021
Tracked Since
Feb 18, 2026