Traveler – Travel Booking WordPress Theme 2.7.1 – Reflected & Stored XSS

  exploits
Description
Weak security measures like no input & textarea fields data filtering has been discovered in the «Traveler - Travel Booking WordPress Theme». Special Notes: 1 - «Change Avatar» upload field works really strange. F.e., u can upload any .PHP file with extension .php.png and break profile page (Server will respond with Error #500). Another possible issue is Null Byte Injection in PHP, but on the demo website any access to uploaded file will be blocked by CloudFlare. 2 - On the «Google Chrome» browser reflected XSS doesn't work cause of built-in browser security measures, better use «Mozilla» or «Opera» instead. https://travelerwp.com/traveler-changelog/ April 30, 2019 Traveler version 2.7.1 Fix Reflected XSS Injection Security Reflected XSS still not fixed. And Stored XSS too.
Proof of Concept
PoC [Reflected XSS Injection]: ~ For Reflected XSS Injection use default WordPress search on the demo website https://remap.travelerwp.com/?s=[payload] ~ Sample payload #1: "><img src=x onerror=alert(document.cookie)> ~ Sample payload #2: "><img src=x onerror=alert(`QUIXSS`)> PoC [Stored XSS Injection]: ~ Go to the demo website https://carmap.travelerwp.com and register a new account (there is no validation or activation process) and then log in to your account. Go to https://carmap.travelerwp.com/page-user-setting/ page next. All input fields except «Username» and «E-mail» can be used for Stored XSS Injections, for test u can use any payload started from "> just to «close» input field and </textarea> to «close» the text box. Save the data and your payload(s) will be successfully injected. ~ Same logic works for any other theme options: «Checkout» page https://remap.travelerwp.com/checkout/ with multiple vulnerable input fields, «Write Review» page https://remap.travelerwp.com/page-user-setting/?sc=write_review&item_id=1084 etc. etc. ~ Sample payload #1: "><script>alert('QUIXSS')</script> ~ Sample payload #2: </textarea><img src="x" onerror="window.location.replace('https://twitter.com/quixss');">