Travel Booking < 2.7.8.6 - Reflected & Persistent XSS Issues



Description
Reflected & Persistent XSS vulnerability was discovered in the «Travel Booking WordPress Theme», tested version — v2.7.8.5

Edit (WPScanTeam):
January 11th, 2020 - Report received & Envato contacted
January 12th, 2020 - Report updated with Reflected XSS, Envato notified again.
January 12th, 2020 - Envato investigating
January 13th, 2020 - 2.7.8.6 released, fixing the issues
Proof of Concept The PoC will be displayed on January 25, 2020, to give users the time to update.

Affects Theme

fixed in version 2.7.8.6

References

URL https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683
URL https://travelerwp.com/traveler-changelog/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher m0ze
Submitter m0ze
Submitter Twitter m0ze_ru
Views 1415
Verified Yes
WPVDB ID 10023

Timeline

Publicly Published 2020-01-13 (10 days ago)
Added 2020-01-14 (8 days ago)
Last Updated 2020-01-20 (2 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin