Traveler < - Reflected & Stored XSS

Weak security measures like no input & textarea fields data filtering has been discovered in the «Traveler - Travel Booking WordPress Theme».

Special Notes:
1 - «Change Avatar» upload field works really strange. F.e., u can upload any .PHP file with extension .php.png and break profile page (Server will respond with Error #500). Another possible issue is Null Byte Injection in PHP, but on the demo website any access to uploaded file will be blocked by CloudFlare.

2 - On the «Google Chrome» browser reflected XSS doesn't work cause of built-in browser security measures, better use «Mozilla» or «Opera» instead.
April 30, 2019 - v2.7.1 released with "Fix Reflected XSS Injection Security". 
Dec 26th, 2019 - v2.7.8.4 released, fixing the stored XSS
Proof of Concept
PoC [Reflected XSS Injection]:
~ For Reflected XSS Injection use default WordPress search on the demo website[payload]
~ Sample payload #1: "><img src=x onerror=alert(document.cookie)>
~ Sample payload #2: "><img src=x onerror=alert(`QUIXSS`)>

PoC [Stored XSS Injection]:
~ Go to the demo website and register a new account (there is no validation or activation process) and then log in to your account. Go to page next. All input fields except «Username» and «E-mail» can be used for Stored XSS Injections, for test u can use any payload started from "> just to «close» input field and </textarea> to «close» the text box. Save the data and your payload(s) will be successfully injected.

~ Same logic works for any other theme options: «Checkout» page with multiple vulnerable input fields, «Write Review» page etc. etc.
~ Sample payload #1: "><script>alert('QUIXSS')</script>
~ Sample payload #2: </textarea><img src="x" onerror="window.location.replace('');">

Affects Theme

fixed in version




Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)


Original Researcher QUIXSS
Submitter quixss
Submitter Website
Submitter Twitter @quixss
Views 11910
Verified No


Publicly Published 2019-05-05 (about 1 year ago)
Added 2019-05-29 (about 1 year ago)
Last Updated 2020-01-02 (5 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin