Themes Vulnerabilities

Love Travel 2.0-3.8 - Unauthenticated Reflected XSS & XFS

Description

An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the Love Travel theme for WordPress, affected versions: 2.0-3.8. Vulnerable parameters: keyword, date_from, date_to, price_from_to, nicdark_price_from, nicdark_price_to

Proof of Concept

Affects Themes

lovetravel
Fixed in 3.8

References

URL
https://ex-mi.ru/exploit/[2020-09-09]-[WordPress]-love-travel-theme-v3.8.txt
URL
https://themeforest.net/item/love-travel-creative-travel-agency-wordpress/7704831

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Ex.Mi
Submitter
Ex.Mi
Submitter website
https://ex-mi.ru/
Verified
Yes
WPVDB ID
39ac3290-772d-45b6-a30f-edd907c5539c

Timeline

Publicly Published
2020-11-12 (about 5 years ago)
Added
2020-11-12 (about 5 years ago)
Last Updated
2023-06-13 (about 2 years ago)

Other

Published
Title
Published
2025-06-12
Title
CubeWP Framework < 1.1.24 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-07
Title
5sterrenspecialist < 1.5 - Reflected Cross-Site Scripting
Published
2025-06-05
Title
Video Embeds <= 0.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-06-25
Title
Event Espresso Core < 4.10.7.p - Reflected Cross-Site Scripting (XSS)
Published
2013-06-21
Title
WordPress 3.5.1 - Multiple Cross-Site Scripting (XSS)