Traveler – Travel Booking WordPress Theme v2.7.1 Reflected & Stored XSS Injections

Weak security measures like no input & textarea fields data filtering has been discovered in the «Traveler - Travel Booking WordPress Theme». Current version of this WordPress premium theme is 2.7.1 Special Notes: 1 - «Change Avatar» upload field works really strange. F.e., u can upload any .PHP file with extension .php.png and break profile page (Server will respond with Error #500). Another possible issue is Null Byte Injection in PHP, but on the demo website any access to uploaded file will be blocked by CloudFlare. 2 - On the «Google Chrome» browser reflected XSS doesn't work cause of built-in browser security measures, better use «Mozilla» or «Opera» instead. April 30, 2019 Traveler version 2.7.1 Fix Reflected XSS Injection Security Reflected XSS still not fixed. And Stored XSS too.
Proof of Concept
PoC [Reflected XSS Injection]: ~ For Reflected XSS Injection use default WordPress search on the demo website[payload] ~ Sample payload #1: "><img src=x onerror=alert(document.cookie)> ~ Sample payload #2: "><img src=x onerror=alert(`QUIXSS`)> PoC [Stored XSS Injection]: ~ Go to the demo website and register a new account (there is no validation or activation process) and then log in to your account. Go to page next. All input fields except «Username» and «E-mail» can be used for Stored XSS Injections, for test u can use any payload started from "> just to «close» input field and </textarea> to «close» the text box. Save the data and your payload(s) will be successfully injected. ~ Same logic works for any other theme options: «Checkout» page with multiple vulnerable input fields, «Write Review» page etc. etc. ~ Sample payload #1: "><script>alert('QUIXSS')</script> ~ Sample payload #2: </textarea><img src="x" onerror="window.location.replace('');">