Themes Vulnerabilities

Travel Booking < 2.7.8.4 - Reflected & Stored XSS

Description

Weak security measures like no input & textarea fields data filtering has been discovered in the 'Traveler - Travel Booking WordPress Theme'.

Special Notes:
1 - 'Change Avatar' upload field works really strange. F.e., u can upload any .PHP file with extension .php.png and break profile page (Server will respond with Error #500). Another possible issue is Null Byte Injection in PHP, but on the demo website any access to uploaded file will be blocked by CloudFlare.

2 - On the 'Google Chrome' browser reflected XSS doesn't work cause of built-in browser security measures, better use 'Mozilla' or 'Opera' instead.

https://travelerwp.com/traveler-changelog/
April 30, 2019 - v2.7.1 released with "Fix Reflected XSS Injection Security".
Dec 26th, 2019 - v2.7.8.4 released, fixing the stored XSS

Proof of Concept

Affects Themes

traveler
Fixed in 2.7.8.4

References

URL
https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
QUIXSS
Submitter
quixss
Submitter website
https://defcon.su
Submitter twitter
@quixss
Verified
No
WPVDB ID
e33054a0-0dd8-45a7-b985-80b6842cf9f3

Timeline

Publicly Published
2019-05-05 (about 7 years ago)
Added
2019-05-29 (about 6 years ago)
Last Updated
2021-01-19 (about 5 years ago)

Other

Published
Title
Published
2025-01-16
Title
AlT Report <= 1.12.0 - Reflected Cross-Site Scripting
Published
2025-01-17
Title
Utilities for MTG <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-05-07
Title
Stockholm Core < 2.4.2 - Reflected Cross-Site Scripting
Published
2022-11-17
Title
Chameleon < 1.4.4 - Admin+ Stored XSS
Published
2019-11-12
Title
bbPress < 2.6.0 - Subscriber+ Stored Cross-Site Scripting via Post Slug