CVE-2023-54358

MEDIUM

WordPress adivaha Travel Plugin 2.3 Reflected XSS via isMobile

Title source: cna

Description

WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at the /mobile-app/v3/ endpoint to execute arbitrary code in victims' browsers and steal session tokens or credentials.

Exploits (1)

exploitdb WORKING POC

by CraCkEr · textwebappsphp

https://www.exploit-db.com/exploits/51663

View Code ZIP pw:eip

References (4)

[Exploit] https://www.exploit-db.com/exploits/51663

[Product] https://www.adivaha.com/

[Product] https://wordpress.org/plugins/adiaha-hotel/

[Third Party Advisory] https://www.vulncheck.com/advisories/wordpress-adivaha-travel-plugin-reflected-xss-via-ismobile

Scores

CVSS v3 6.1

EPSS 0.0008

EPSS Percentile 23.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

Adivaha/WordPress adivaha Travel Plugin 2.3

Published Apr 09, 2026

Tracked Since Apr 10, 2026