CityBook < 2.3.4 - Multiple Vulnerabilities



Description
Multiple vulnerabilities was discovered in the «CityBook - Directory & Listing WordPress Theme», tested version — v2.3.3:

- Unauthenticated Reflected XSS
- Authenticated Persistent XSS
- IDOR

Edit (WPScanTeam):
December 27h, 2019 - Envato Contacted
January 6th, 2020 - Envato Investigating
January 7th, 2020 - v2.3.4 released
Proof of Concept The PoC will be displayed on January 23, 2020, to give users the time to update.

Affects Theme

fixed in version 2.3.4

References

CVE 2019-20210
CVE 2019-20211
CVE 2019-20212
CVE 2019-20209
URL https://themeforest.net/item/citybook-directory-listing-wordpress-theme/21694727

Classification

Type MULTI

Miscellaneous

Original Researcher m0ze
Submitter m0ze
Submitter Twitter m0ze_ru
Views 37749
Verified Yes
WPVDB ID 10013

Timeline

Publicly Published 2020-01-09 (14 days ago)
Added 2020-01-09 (13 days ago)
Last Updated 2020-01-14 (8 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin