CVE-2019-20210
Description
CTHthemes CityBook (≤2.3.3), TownHub (≤1.0.5), and EasyBook (≤1.2.1) WordPress themes allow reflected XSS via search query.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CTHthemes CityBook (≤2.3.3), TownHub (≤1.0.5), and EasyBook (≤1.2.1) WordPress themes allow reflected XSS via search query.
Vulnerability
The CTHthemes CityBook before version 2.3.4, TownHub before version 1.0.6, and EasyBook before version 1.2.2 WordPress themes are vulnerable to reflected cross-site scripting (XSS) via the search_term parameter in the search functionality. The vulnerability exists because user input is not properly sanitized before being reflected in the page output. [1][2][3]
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing an XSS payload in the search_term parameter. No authentication is required, and the victim only needs to click the crafted link. For example, a payload like `` can be used to execute arbitrary JavaScript in the victim's browser. [1][2][3]
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to cookie theft, session hijacking, redirection to malicious sites, or defacement of the page. The impact is limited to the user's browser and does not directly affect the server. [1][2][3]
Mitigation
Users should update the themes to the patched versions: CityBook 2.3.4, TownHub 1.0.6, and EasyBook 1.2.2. If immediate update is not possible, consider adding a web application firewall (WAF) rule to sanitize the search_term parameter. The vulnerability is not known to be exploited in the wild as of the publication date. [1][2][3]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- CTHthemes/CityBookdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization of the `search_term` query parameter allows reflected cross-site scripting (XSS)."
Attack vector
An attacker crafts a URL containing a malicious payload in the `search_term` query parameter and tricks a victim into clicking it. For CityBook, the PoC URL is `/?search_term=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E` [ref_id=1]; for EasyBook, the PoC is `/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E` [ref_id=2]. No authentication is required — the payload executes in the victim's browser session when the search results page renders the unescaped input.
Affected code
The vulnerability exists in the search functionality of the CityBook (before 2.3.4), TownHub (before 1.0.6), and EasyBook (before 1.2.2) WordPress themes. The search input field on the homepage — labeled "What are you looking for?" in CityBook [ref_id=1] and "Hotel , City..." in EasyBook [ref_id=2] — does not sanitize user-supplied input before reflecting it in the page output.
What the fix does
The advisory states that the fix is to upgrade to CityBook 2.3.4, TownHub 1.0.6, or EasyBook 1.2.2 [ref_id=1][ref_id=2]. No patch diff is provided in the bundle, but the remediation involves properly escaping or sanitizing the `search_term` parameter before it is rendered in the search results page, preventing HTML/JavaScript injection.
Preconditions
- inputThe victim must visit a crafted URL containing the malicious search_term parameter while the site uses a vulnerable theme version (CityBook < 2.3.4, TownHub < 1.0.6, EasyBook < 1.2.2)
- authNo authentication or special privileges required; the search page is publicly accessible
Reproduction
1. Identify a WordPress site running CityBook (< 2.3.4), TownHub (< 1.0.6), or EasyBook (< 1.2.2). 2. For CityBook, visit: `https://target-site/?search_term=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E` [ref_id=1]. 3. For EasyBook, visit: `https://target-site/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E` [ref_id=2]. 4. Observe that the JavaScript payload executes (e.g., an alert box with the cookie appears), confirming the reflected XSS.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- cxsecurity.com/issue/WLB-2019120110mitrex_refsource_MISC
- cxsecurity.com/issue/WLB-2019120111mitrex_refsource_MISC
- cxsecurity.com/issue/WLB-2019120112mitrex_refsource_MISC
- themeforest.net/item/citybook-directory-listing-wordpress-theme/21694727mitrex_refsource_MISC
- themeforest.net/item/easybook-directory-listing-wordpress-theme/23206622mitrex_refsource_MISC
- themeforest.net/item/townhub-directory-listing-wordpress-theme/25019571mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/10013mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/10014mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/10018mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.