VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 13, 2020· Updated Aug 5, 2024

CVE-2019-20211

CVE-2019-20211

Description

Persistent XSS vulnerabilities in CTHthemes CityBook, TownHub, and EasyBook WordPress themes allow attackers to inject arbitrary JavaScript via multiple listing fields.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Persistent XSS vulnerabilities in CTHthemes CityBook, TownHub, and EasyBook WordPress themes allow attackers to inject arbitrary JavaScript via multiple listing fields.

Vulnerability

Multiple persistent cross-site scripting (XSS) vulnerabilities exist in the CTHthemes CityBook (before version 2.3.4), TownHub (before version 1.0.6), and EasyBook (before version 1.2.2) WordPress themes [1][2][3]. The flaws occur in the listing submission and chat features, where user-supplied input is not properly sanitized before being stored and later displayed. Affected input fields include Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Service Name, Address, Latitude, Longitude, Phone Number, and Website [1][2][3]. The vulnerabilities are present in the themes' dashboard and front-end listing pages.

Exploitation

An attacker must have the ability to submit or edit listings (typically an authenticated user with listing submission privileges) or send chat messages. No special network position is required beyond normal web access. The attacker injects a malicious JavaScript payload into one of the vulnerable fields (e.g., ">). The payload is stored on the server and executed when any user, including administrators, views the listing or chat message [1][2][3]. The references demonstrate that payloads in address, latitude, and longitude fields also trigger in the admin dashboard, increasing the likelihood of targeting privileged users [3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, cookie theft, defacement of the site, or redirection to malicious websites. Because the payload can be triggered in the admin interface, an attacker may steal administrator cookies and gain full control over the WordPress installation [1][2][3]. The impact is high, as it compromises the confidentiality, integrity, and availability of the affected site.

Mitigation

The vendor has released patched versions: CityBook 2.3.4, TownHub 1.0.6, and EasyBook 1.2.2 [1][2][3]. Users should update their themes to these versions or later immediately. No workarounds are documented. The vulnerabilities are not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. CityBook - Directory & Listing WordPress Theme v2.2.2 Multiple Vulnerabilities
  2. EasyBook – Directory & Listing WordPress Theme v1.2.1 Multiple Vulnerabilities
  3. TownHub - Directory & Listing WordPress Theme v1.0.2 Multiple Vulnerabilities

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization and output escaping on multiple user-facing form fields allows stored cross-site scripting (XSS)."

Attack vector

An attacker can inject arbitrary JavaScript into any of the vulnerable fields — Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Service Name, Address, Latitude, Longitude, Phone Number, or Website — by submitting a payload such as `"><img src=x onerror=alert(document.cookie)>` via the listing submission form or profile editing form [ref_id=1][ref_id=2]. The payload is stored in the database and executed when any user (including an administrator) views the affected page, such as the listing detail page or the dashboard profile page [ref_id=1]. The researcher notes that the Listing Address payload "also works on the admin dashboard, so it's possible to steal administrator cookies" [ref_id=1]. The chat system is also vulnerable, allowing an attacker to send a malicious message to user ID 1 (typically the admin) via a POST to `/wp-admin/admin-ajax.php` with the `reply_text` parameter containing the payload [ref_id=1][ref_id=2].

Affected code

The vulnerability affects the CityBook (before 2.3.4), TownHub (before 1.0.6), and EasyBook (before 1.2.2) WordPress themes by CTHthemes [ref_id=1][ref_id=2]. The researcher identifies multiple input fields across listing submission, profile editing, and chat functionality that fail to sanitize user-supplied data before rendering it in the browser [ref_id=1][ref_id=2]. No patch files are included in the bundle, so the exact code paths are not shown.

What the fix does

The advisory states that the fix is to update CityBook to version 2.3.4, TownHub to version 1.0.6, and EasyBook to version 1.2.2 [ref_id=1][ref_id=2]. No patch diff is included in the bundle, so the specific code changes are not visible. The remediation would require the theme developer to add proper output escaping (e.g., WordPress functions like `esc_html()` or `esc_attr()`) on all the listed input fields before rendering user-supplied data, and to sanitize inputs on submission using functions like `sanitize_text_field()` or `wp_kses()`.

Preconditions

  • authAttacker must have a registered user account on the WordPress site to submit listings or edit their profile
  • inputFor the chat XSS, the attacker must know their own user_id and the target's user_id (e.g., admin is typically ID 1)
  • configThe site must be running a vulnerable version of CityBook (< 2.3.4), TownHub (< 1.0.6), or EasyBook (< 1.2.2)
  • networkNetwork access to the WordPress site's admin-ajax.php endpoint

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.