Themes Vulnerabilities

Travel Booking < 2.8.4 - Unauthenticated Cross-Site Scripting (XSS)

Description

Unauthenticated Reflected XSS via the child_number parameter

Proof of Concept

Affects Themes

traveler
Fixed in 2.8.4

References

URL
https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683
URL
https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-06-23-travel-booking-wordpress-theme-v2-8-3.txt
URL
https://travelerwp.com/traveler-changelog/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Vlad Vector
Submitter
VLΛD VΞCTOR
Submitter website
https://vladvector.ru
Submitter twitter
vlad_vector
Verified
Yes
WPVDB ID
c4847867-616d-4718-ab77-acb9e9d511b8

Timeline

Publicly Published
2020-07-09 (about 5 years ago)
Added
2020-07-09 (about 5 years ago)
Last Updated
2020-07-10 (about 5 years ago)

Other

Published
Title
Published
2022-10-10
Title
Newspaper < 12 - Reflected Cross-Site Scripting
Published
2022-11-04
Title
Donations via PayPal < 1.9.9 - Admin+ Stored XSS
Published
2025-05-07
Title
Charitable < 1.8.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-03-18
Title
MyCurator Content Curation < 3.77 - Reflected Cross-Site Scripting
Published
2025-03-19
Title
En Masse <= 1.0 - Reflected Cross-Site Scripting