Traveler - Travel Booking WordPress Theme v2.7 Reflected XSS Injection

2019.04.28
ru QUIXSS (RU) ru
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[*] :: Title: Traveler - Travel Booking WordPress Theme v2.7 Reflected XSS Injection [*] :: Author: QUIXSS [*] :: Date: 2019-04-28 [*] :: Software: Traveler - Travel Booking WordPress Theme v2.7 [?] :: Technical Details & Description: # Weak security measures like no input fields data filtering has been discovered in the Ā«Traveler - Travel Booking WordPress ThemeĀ». Current version of this WordPress premium theme is 2.7. [?] :: Demo Website: # https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683 # Frontend: https://remap.travelerwp.com/ [!] :: Special Note: # 5.822 Sales [!] :: For developers: # Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients. [+] :: PoC [Links]: # https://remap.travelerwp.com/?s=%22%3E%3Cimg%20src=x%20onerror=alert(document.cookie)%3E [+] :: PoC [Reflected XSS Injection]: # For Reflected XSS Injection use default WordPress search on the demo website https://remap.travelerwp.com/?s=[payload] # Sample payload: "><img src=x onerror=alert(document.cookie)>

References:

https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top