CarSpot Theme <= 2.1.6 – Authenticated Stored XSS | CVE 2019-15870 | Theme Vulnerabilities

Description

Bad input field data filtering has been discovered in the 'CarSpot – Automotive Car Dealer Wordpress Classified Theme'. Current version of this Premium Theme is 2.1.5.

Proof of Concept

Authorize on the demo website for tests: https://carspot.scriptsbundle.com/, login is zulacone@businessagent.email and passowrd is asdasd. If this account will be deleted, simply create a new one, it's easy.
On the profile page there is one vulnerable input field w/o filering: «Phone Number». Fill in your payload, f.e. <script>alert('QUIXSS')</script> and save this changes. After that, on each page where data from your profile is loading you'll see saved payload in action.

Affects Themes

Fixed in 2.1.7

References

CVE

URL

https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539

URL

https://carspot.scriptsbundle.com/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

QUIXSS

Submitter

QUIXSS

Submitter website

http://defcon.su/

Submitter twitter

Verified

No

WPVDB ID

21f3a2ff-36d5-48f7-99e3-f08ff8f07e0d

Timeline

Publicly Published

2019-04-18 (about 7 years ago)

Added

2019-04-23 (about 7 years ago)

Last Updated

2021-01-19 (about 5 years ago)

Other

Published

Title

Published

2023-08-14

Title

User Submitted Posts < 20230811 - Unauthenticated Stored XSS

Published

2021-10-21

Title

Simple Job Board < 2.9.5 - Admin+ Stored Cross-Site Scripting

Published

2022-04-28

Title

Ravpage < 2.25 - Reflected Cross-Site Scripting

Published

2026-03-04

Title

OoohBoi Steroids for Elementor < 2.1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple URL Controls

Published

2023-10-16

Title

Responsive Pricing Table < 5.1.8 - Admin+ Stored Cross-Site Scriping