Traveler - Travel Booking WordPress Theme 2.7.1 - Reflected & Stored XSS

Weak security measures like no input & textarea fields data filtering has been discovered in the «Traveler - Travel Booking WordPress Theme».

Special Notes:
1 - «Change Avatar» upload field works really strange. F.e., u can upload any .PHP file with extension .php.png and break profile page (Server will respond with Error #500). Another possible issue is Null Byte Injection in PHP, but on the demo website any access to uploaded file will be blocked by CloudFlare.

2 - On the «Google Chrome» browser reflected XSS doesn't work cause of built-in browser security measures, better use «Mozilla» or «Opera» instead.
April 30, 2019
Traveler version 2.7.1
Fix Reflected XSS Injection Security

Reflected XSS still not fixed. And Stored XSS too.
Proof of Concept
PoC [Reflected XSS Injection]:
~ For Reflected XSS Injection use default WordPress search on the demo website[payload]
~ Sample payload #1: "><img src=x onerror=alert(document.cookie)>
~ Sample payload #2: "><img src=x onerror=alert(`QUIXSS`)>

PoC [Stored XSS Injection]:
~ Go to the demo website and register a new account (there is no validation or activation process) and then log in to your account. Go to page next. All input fields except «Username» and «E-mail» can be used for Stored XSS Injections, for test u can use any payload started from "> just to «close» input field and </textarea> to «close» the text box. Save the data and your payload(s) will be successfully injected.

~ Same logic works for any other theme options: «Checkout» page with multiple vulnerable input fields, «Write Review» page etc. etc.
~ Sample payload #1: "><script>alert('QUIXSS')</script>
~ Sample payload #2: </textarea><img src="x" onerror="window.location.replace('');">

Affects Theme




Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)


Original Researcher QUIXSS
Submitter quixss
Submitter Website
Submitter Twitter @quixss
Views 7282
Verified No


Publicly Published 2019-05-05 (6 months ago)
Added 2019-05-29 (6 months ago)
Last Updated 2019-11-11 (3 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin