HomePage Forums Traveler Traveler theme removed

This topic contains 2 replies, has 2 voices, and was last updated by  Bryan 4 months, 1 week ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
  • #67286

    My theme keeps getting removed. This is the second time in a month

    Your theme Traveler has a security vulnerability and our systems remove it from your site.

    Could you please contact the theme vendors about it?
    Here you have more information on the vulnerability:


    In the meantime, theme twenty nineteen has been activated.


    Weak security measures like no input & textarea fields data filtering has been discovered in the «Traveler – Travel Booking WordPress Theme».

    Special Notes:
    1 – «Change Avatar» upload field works really strange. F.e., u can upload any .PHP file with extension .php.png and break profile page (Server will respond with Error #500). Another possible issue is Null Byte Injection in PHP, but on the demo website any access to uploaded file will be blocked by CloudFlare.

    2 – On the «Google Chrome» browser reflected XSS doesn’t work cause of built-in browser security measures, better use «Mozilla» or «Opera» instead.

    April 30, 2019
    Traveler version 2.7.1
    Fix Reflected XSS Injection Security

    Reflected XSS still not fixed. And Stored XSS too.
    Proof of Concept
    PoC [Reflected XSS Injection]:
    ~ For Reflected XSS Injection use default WordPress search on the demo website https://remap.travelerwp.com/?s=%5Bpayload%5D
    ~ Sample payload #1: “>
    ~ Sample payload #2: “><img src=x onerror=alert(QUIXSS)>

    PoC [Stored XSS Injection]:
    ~ Go to the demo website https://carmap.travelerwp.com and register a new account (there is no validation or activation process) and then log in to your account. Go to https://carmap.travelerwp.com/page-user-setting/ page next. All input fields except «Username» and «E-mail» can be used for Stored XSS Injections, for test u can use any payload started from “> just to «close» input field and </textarea> to «close» the text box. Save the data and your payload(s) will be successfully injected.

    ~ Same logic works for any other theme options: «Checkout» page https://remap.travelerwp.com/checkout/ with multiple vulnerable input fields, «Write Review» page https://remap.travelerwp.com/page-user-setting/?sc=write_review&item_id=1084 etc. etc.
    ~ Sample payload #1: “><script>alert(‘QUIXSS’)</script>
    ~ Sample payload #2: </textarea>




    Do you use WordPress.com host? Our theme is based on WordPress.org. The topic bellow will show you more details:



Viewing 3 posts - 1 through 3 (of 3 total)

The forum ‘Traveler’ is closed to new topics and replies.