Reservit Hotel < 3.0 - Admin+ Stored XSS

vendor:

Reservit Hotel

by:

Ilteris Kaan Pehlivan

6.1

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: Reservit Hotel

Affected Version From: 2.1

Affected Version To: 3

Patch Exists: YES

Related CWE: CVE-2024-9458

CPE: a:reservit_hotel:reservit_hotel:2.1

Metasploit:

Other Scripts:

Platforms Tested: Windows, WordPress

2024

Reservit Hotel < 3.0 - Admin+ Stored XSS

Reservit Hotel plugin version 2.1 does not properly sanitize and escape certain settings, allowing high privilege users, like admin, to execute Stored Cross-Site Scripting attacks. This vulnerability can be exploited even when the unfiltered_html capability is restricted.

Mitigation:

To mitigate this vulnerability, it is recommended to update to version 3.0 or later of the Reservit Hotel plugin. Additionally, users should avoid inputting untrusted data into the affected fields.

Source

Exploit-DB raw data:

# Exploit Title: Reservit Hotel < 3.0 - Admin+ Stored XSS
# Date: 2024-10-01
# Exploit Author: Ilteris Kaan Pehlivan
# Vendor Homepage: https://wpscan.com/plugin/reservit-hotel/
# Version: Reservit Hotel 2.1
# Tested on: Windows, WordPress, Reservit Hotel < 3.0
# CVE : CVE-2024-9458

The plugin does not sanitise and escape some of its settings, which could
allow high privilege users such as admin to perform Stored Cross-Site
Scripting attacks even when the unfiltered_html capability is disallowed
(for example in multisite setup).

1. Install and activate Reservit Hotel plugin.
2. Go to Reservit hotel > Content
3. Add the following payload to the Button text > French field sane save: "
style=animation-name:rotation onanimationstart=alert(/XSS/)//
4. The XSS will trigger upon saving and when any user will access the
content dashboard again

References:
https://wpscan.com/vulnerability/1157d6ae-af8b-4508-97e9-b9e86f612550/
https://www.cve.org/CVERecord?id=CVE-2024-9458