Traveler - Travel Booking WordPress Theme v2.7 Stored XSS Injection

2019.05.01
ru QUIXSS (RU) ru
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[*] :: Title: Traveler - Travel Booking WordPress Theme v2.7 Stored XSS Injection [*] :: Author: QUIXSS [*] :: Date: 2019-04-28 [*] :: Software: Traveler - Travel Booking WordPress Theme v2.7 [?] :: Technical Details & Description: # Weak security measures like no input & textarea fields data filtering has been discovered in the «Traveler - Travel Booking WordPress Theme». Current version of this WordPress premium theme is 2.7. [?] :: Demo Website: # https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683 # Frontend #1: https://carmap.travelerwp.com/ # Backend #1: https://carmap.travelerwp.com/page-user-setting/ # Frontend #2: https://remap.travelerwp.com/ # Backend #2: https://remap.travelerwp.com/page-user-setting/ [!] :: Special Note: # 5.822 Sales # «Change Avatar» upload field works really strange. F.e., u can upload any .PHP file with extension .php.png and break profile page (Server will respond with Error #500). [!] :: For developers: # Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients. [+] :: PoC [Links]: # https://carmap.travelerwp.com/page-user-setting/ # https://remap.travelerwp.com/page-user-setting/ # https://remap.travelerwp.com/st_rental/midtown-manhattan-oversized/ [+] :: PoC [Stored XSS Injection]: # Go to the demo website https://carmap.travelerwp.com and register a new account (there is no validation or activation process) and then log in to your account. Go to https://carmap.travelerwp.com/page-user-setting/ page next. All input fields except «Username» and «E-mail» can be used for Stored XSS Injections, for test u can use any payload started from "> just to «close» input field and </textarea> to «close» the text box. Save the data and your payload(s) will be successfully injected. # Same logic works for any other theme options: «Checkout» page https://remap.travelerwp.com/checkout/ with multiple vulnerable input fields, «Write Review» page https://remap.travelerwp.com/page-user-setting/?sc=write_review&item_id=1084 etc. etc. # Sample payload #1: "><script>alert('QUIXSS')</script> # Sample payload #2: </textarea>img src="x" onerror="window.location.replace('https://twitter.com/quixss');">

References:

https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683
https://twitter.com/quixss


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top