SB2020011327 - Multiple vulnerabilities in CTHthemes CityBook
Published: January 13, 2020 Updated: July 17, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Authorization bypass through user-controlled key (CVE-ID: CVE-2019-20209)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow nsecure Direct Object Reference (IDOR) via wp-admin/admin-ajax.php to delete any page/post/listing.
2) Cross-site scripting (CVE-ID: CVE-2019-20210)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via a search query. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Cross-site scripting (CVE-ID: CVE-2019-20211)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Description, Service Name, Address, Latitude, Longitude, Phone Number, or Website. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Cross-site scripting (CVE-ID: CVE-2019-20212)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the chat widget/page message form. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://cxsecurity.com/issue/WLB-2019120110
- https://cxsecurity.com/issue/WLB-2019120111
- https://cxsecurity.com/issue/WLB-2019120112
- https://themeforest.net/item/citybook-directory-listing-wordpress-theme/21694727
- https://themeforest.net/item/easybook-directory-listing-wordpress-theme/23206622
- https://themeforest.net/item/townhub-directory-listing-wordpress-theme/25019571
- https://wpvulndb.com/vulnerabilities/10013
- https://wpvulndb.com/vulnerabilities/10014
- https://wpvulndb.com/vulnerabilities/10018