CVE-2019-20212
Description
Persistent XSS in the chat widget of three CTHthemes WordPress themes allows unauthenticated attackers to inject arbitrary JavaScript, leading to session hijacking or redirects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Persistent XSS in the chat widget of three CTHthemes WordPress themes allows unauthenticated attackers to inject arbitrary JavaScript, leading to session hijacking or redirects.
Vulnerability
A persistent cross-site scripting (XSS) vulnerability exists in the chat widget and dashboard chat message form of three CTHthemes WordPress themes: CityBook before version 2.3.4, TownHub before version 1.0.6, and EasyBook before version 1.2.2 [1][2][3]. The chat functionality does not sanitize user input in the reply_text parameter, allowing the injection of arbitrary HTML and JavaScript [1]. The vulnerability is reachable from the chat widget on the bottom-right corner of any page or from the /dashboard/ chat interface [1].
Exploitation
An unauthenticated attacker can send a crafted POST request to /wp-admin/admin-ajax.php with the action parameter set to the theme-specific chat reply action (e.g., easybook_addons_chat_reply) and include a malicious payload in the reply_text field. A valid nonce (_nonce) and a chat conversation ID (cid) are required, but these can be obtained by initiating a chat session as a regular visitor [1][2]. The injected payload is then stored and executed in the browser of any user or administrator who views the chat history [1][2][3].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to cookie theft (session hijacking), forced redirection to malicious websites, or defacement of the chat interface. If an administrator views the malicious chat message, the attacker could steal admin cookies and gain full administrative access to the WordPress site [1][2][3].
Mitigation
CTHthemes has released patched versions: CityBook 2.3.4, TownHub 1.0.6, and EasyBook 1.2.2 [1][2][3]. Users should update to these fixed versions immediately. No workaround is available for unpatched installations. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- CTHthemes/CityBookdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization on the chat message `reply_text` parameter allows stored cross-site scripting (XSS)."
Attack vector
An attacker sends a POST request to `/wp-admin/admin-ajax.php` containing a malicious payload in the `reply_text` parameter, along with a valid `_nonce`, `user_id`, and `touid` (the recipient's user ID) [ref_id=1][ref_id=2]. The payload, such as `
Affected code
The chat widget/message form in the CityBook (before 2.3.4), TownHub (before 1.0.6), and EasyBook (before 1.2.2) WordPress themes does not sanitize user-supplied input before storing and rendering it. The vulnerable endpoint is `/wp-admin/admin-ajax.php` with actions `citybook_addons_chat_reply` (CityBook) and `easybook_addons_chat_reply` (EasyBook), where the `reply_text` parameter is written directly into chat messages [ref_id=1][ref_id=2].
What the fix does
The advisory does not include a patch diff, but the fix involves upgrading to CityBook 2.3.4, TownHub 1.0.6, or EasyBook 1.2.2 [ref_id=1][ref_id=2]. These versions presumably add output encoding or input sanitization on the `reply_text` parameter before it is stored and rendered in the chat widget, preventing script execution.
Preconditions
- authAttacker must have a valid WordPress user account on the target site to obtain a user_id and _nonce.
- configThe target site must be running a vulnerable version of CityBook (<2.3.4), TownHub (<1.0.6), or EasyBook (<1.2.2).
- inputAttacker must know or guess the recipient's user ID (touid), often set to 1 for the admin account.
- networkAttacker must be able to reach the /wp-admin/admin-ajax.php endpoint over HTTP.
Reproduction
Send a POST request to `/wp-admin/admin-ajax.php` with the following body (adjust for the theme in use): `action=citybook_addons_chat_reply&_nonce=VALID_NONCE&cid=1020&user_id=YOUR_ID&touid=1&reply_text=
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- cxsecurity.com/issue/WLB-2019120110mitrex_refsource_MISC
- cxsecurity.com/issue/WLB-2019120111mitrex_refsource_MISC
- cxsecurity.com/issue/WLB-2019120112mitrex_refsource_MISC
- themeforest.net/item/citybook-directory-listing-wordpress-theme/21694727mitrex_refsource_MISC
- themeforest.net/item/easybook-directory-listing-wordpress-theme/23206622mitrex_refsource_MISC
- themeforest.net/item/townhub-directory-listing-wordpress-theme/25019571mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/10013mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/10014mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/10018mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.