EasyBook < 1.2.2 - Multiple Vulnerabilities



Description
Multiple vulnerabilities was discovered in the «EasyBook – Directory & Listing WordPress Theme», tested version — v1.2.1:

- Unauthenticated Reflected XSS
- Authenticated Persistent XSS
- IDOR

December 27th, 2019 - Envato Contacted
January 6th, 2020 - Envato Investigating
January ??th, 2020 - Theme has been removed from Envato
January 8th, 2020 - v1.2.2 released
January 10th, 2020 - Theme put back on Envato
Proof of Concept The PoC will be displayed on January 24, 2020, to give users the time to update.

Affects Theme

fixed in version 1.2.2

References

CVE 2019-20209
CVE 2019-20210
CVE 2019-20211
CVE 2019-20212
URL https://themeforest.net/item/easybook-directory-listing-wordpress-theme/23206622

Classification

Type MULTI

Miscellaneous

Original Researcher m0ze
Submitter m0ze
Submitter Twitter m0ze_ru
Views 8232
Verified Yes
WPVDB ID 10018

Timeline

Publicly Published 2020-01-10 (13 days ago)
Added 2020-01-11 (11 days ago)
Last Updated 2020-01-15 (7 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin