WordPress adivaha Travel Plugin 2.3 - Reflected XSS

Exploit Author: CraCkEr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: JavaScript Published Date: 2023-08-04

# Exploit Title: WordPress adivaha Travel Plugin 2.3 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 29/07/2023
# Vendor: adivaha - Travel Tech Company
# Vendor Homepage: https://www.adivaha.com/
# Software Link: https://wordpress.org/plugins/adiaha-hotel/
# Demo: https://www.adivaha.com/demo/adivaha-online/
# Version: 2.3
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site


## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob


## Description

The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials


Path: /mobile-app/v3/

GET parameter 'isMobile' is vulnerable to XSS

https://www.website/mobile-app/v3/?pid=77A89299&isMobile=[XSS]


XSS Payload: clq95"><script>alert(1)</script>lb1ra


[-] Done

WordPress adivaha Travel Plugin 2.3 – Reflected XSS Vulnerability: A Deep Dive into Exploitation and Mitigation

Security researchers and ethical hackers continue to uncover vulnerabilities in widely used WordPress plugins, exposing critical flaws that can compromise user data and site integrity. One such discovery is the reflected XSS vulnerability in the adivaha Travel Plugin 2.3, a popular travel management tool used by hotels and tour operators across the globe.

Overview of the Vulnerability

Discovered on July 29, 2023, by security researcher CraCkEr, the flaw resides in the plugin's mobile app interface at the path: /mobile-app/v3/. The GET parameter isMobile is directly reflected in the page output without proper sanitization, making it a prime target for reflected cross-site scripting (XSS) attacks.

Attackers can craft malicious URLs containing injected scripts, which when clicked by a victim, execute code in the victim's browser environment. This allows for session hijacking, credential theft, and manipulation of website content.

Exploit Details and Real-World Impact

Consider the following vulnerable URL:

https://www.website/mobile-app/v3/?pid=77A89299&isMobile=clq95%22%3E%3Cscript%3Ealert(1)%3C/script%3Elb1ra

This URL includes a crafted isMobile parameter that embeds a script tag. When rendered in the browser, the malicious payload executes, triggering a pop-up alert. While harmless in this case, real-world exploitation could include:

Stealing session cookies via document.cookie access
Redirecting users to phishing sites
Injecting hidden form fields to capture login credentials
Modifying the page content to display fake booking confirmation messages

Such attacks are particularly dangerous when delivered via email or instant messaging, as users often trust links from known sources.

Technical Analysis: How the XSS Works

The vulnerability arises due to improper input handling in the plugin’s code. When the isMobile parameter is passed via the URL, the plugin directly outputs it in HTML without escaping special characters.

For example, in the PHP code (hypothetical snippet):

echo '<div>Mobile Mode: ' . $_GET['isMobile'] . '</div>';

This code is dangerously vulnerable because it does not sanitize or escape the input. The isMobile value is treated as raw HTML, allowing attackers to inject <script> tags or other malicious payloads.

Corrected Implementation: Secure Input Handling

To prevent such vulnerabilities, developers must implement proper sanitization and output encoding. Here’s a secure version using PHP’s htmlspecialchars() function:

echo '<div>Mobile Mode: ' . htmlspecialchars($_GET['isMobile'], ENT_QUOTES, 'UTF-8') . '</div>';

Explanation: The htmlspecialchars() function converts special characters like <, >, ", and & into their HTML entity equivalents, preventing script execution. The ENT_QUOTES flag ensures both single and double quotes are escaped, and UTF-8 ensures compatibility with international character sets.

Additionally, input validation should be applied:

if (isset($_GET['isMobile']) && preg_match('/^[a-zA-Z0-9]+$/', $_GET['isMobile'])) {
    echo '<div>Mobile Mode: ' . htmlspecialchars($_GET['isMobile'], ENT_QUOTES, 'UTF-8') . '</div>';
} else {
    echo '<div>Mobile Mode: Default</div>';
}

This ensures only alphanumeric characters are accepted, reducing the risk of injection attacks.

Security Recommendations for Users and Developers

Recommendation	Description
Update the Plugin	Users should immediately update to the latest version if available. If no patch exists, consider disabling the plugin until a fix is released.
Input Sanitization	Always sanitize user inputs before rendering in HTML. Use functions like `htmlspecialchars()` or `htmlentities()`.
Content Security Policy (CSP)	Implement a strong CSP header to block inline scripts and restrict execution of external scripts.
Monitor Logs	Regularly audit server logs for suspicious GET parameters, especially those containing script tags.
Use Web Application Firewalls (WAF)	Deploy a WAF like ModSecurity or Cloudflare to detect and block XSS attempts in real time.

Conclusion: A Reminder for the WordPress Ecosystem

The adivaha Travel Plugin 2.3 XSS vulnerability serves as a stark reminder that even trusted plugins can introduce critical security flaws. As the WordPress ecosystem grows, so does the attack surface. Developers must prioritize secure coding practices, and site administrators must remain vigilant.

Security is not a one-time fix—it’s an ongoing process. By applying proper input validation, output encoding, and proactive monitoring, we can significantly reduce the risk of reflected XSS and protect users from malicious exploitation.