CVE-2023-54358: adivaha Travel Plugin XSS Vulnerability

CVE-2023-54358 Overview

CVE-2023-54358 is a reflected cross-site scripting (XSS) vulnerability in the WordPress adivaha Travel Plugin version 2.3. The flaw exists in the /mobile-app/v3/ endpoint, where the isMobile GET parameter is reflected into the response without proper sanitization or output encoding. Unauthenticated attackers can craft malicious URLs containing JavaScript payloads that execute in a victim's browser when clicked. Successful exploitation enables session token theft, credential harvesting, and unauthorized actions performed in the context of the targeted user. The vulnerability is tracked under CWE-79.

Critical Impact

Unauthenticated attackers can execute arbitrary JavaScript in victim browsers, leading to session hijacking and credential theft on WordPress sites running adivaha Travel Plugin 2.3.

Affected Products

• WordPress adivaha Travel Plugin version 2.3
• WordPress sites with the adiaha-hotel plugin installed
• Endpoint: /mobile-app/v3/ accepting the isMobile parameter

Discovery Timeline

• 2026-04-09 - CVE-2023-54358 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2023-54358

Vulnerability Analysis

The vulnerability is a classic reflected XSS issue caused by improper neutralization of user-controlled input during web page generation. The plugin's mobile application handler at /mobile-app/v3/ accepts the isMobile query string parameter and embeds its value directly into the HTTP response. Because the application does not apply contextual output encoding or input validation, attacker-supplied HTML and JavaScript reach the browser intact. When a victim follows a crafted link, the injected script executes under the origin of the vulnerable WordPress site. The attack requires user interaction, but no authentication is necessary on the target site, broadening the population of usable victims.

Root Cause

The root cause is missing sanitization and output encoding for the isMobile GET parameter within the adivaha Travel Plugin codebase. The plugin treats the parameter as trusted display data rather than untrusted user input. There is no allowlist validation, no HTML entity encoding, and no Content Security Policy fallback to constrain script execution. This mirrors the CWE-79 weakness pattern documented across many WordPress plugin advisories.

Attack Vector

An attacker crafts a URL targeting the vulnerable endpoint with a JavaScript payload placed inside the isMobile parameter. The attacker distributes the link through phishing emails, malicious advertising, forum posts, or social media. When a victim clicks the link, the WordPress server reflects the payload into the rendered page and the browser executes it. The script can read cookies that are not flagged HttpOnly, exfiltrate form data, perform CSRF-style requests to the WordPress admin interface, or redirect the user to attacker-controlled phishing pages. Refer to the VulnCheck Advisory and Exploit-DB #51663 for the documented proof-of-concept.

Detection Methods for CVE-2023-54358

Indicators of Compromise

• HTTP requests to /mobile-app/v3/ containing isMobile= followed by URL-encoded <script>, onerror=, onload=, or javascript: tokens.
• Web server access logs showing unusually long isMobile query string values or values containing angle brackets and quotes.
• Referrer headers from external phishing domains pointing at the /mobile-app/v3/ path.
• Outbound browser requests to unfamiliar domains immediately after a user visits the vulnerable endpoint.

Detection Strategies

• Deploy web application firewall (WAF) rules that inspect the isMobile parameter for HTML or JavaScript metacharacters and block requests at the edge.
• Search WordPress and reverse proxy logs for the regex pattern isMobile=[^&]*(<|%3C|script|onerror|javascript) to identify exploitation attempts.
• Correlate suspicious /mobile-app/v3/ requests with subsequent administrator session activity to detect session theft follow-ups.

Monitoring Recommendations

• Forward WordPress access logs to a centralized SIEM or data lake and alert on reflected-XSS payload signatures.
• Monitor browser telemetry for unexpected script execution originating from the WordPress site origin.
• Track plugin inventory across the WordPress estate to identify any host still running adivaha Travel Plugin 2.3.

How to Mitigate CVE-2023-54358

Immediate Actions Required

• Disable or uninstall the adivaha Travel Plugin 2.3 until a vendor-patched version is confirmed available on the WordPress Plugin Page.
• Block external access to the /mobile-app/v3/ endpoint via WAF or web server rewrite rules if the plugin must remain installed.
• Force password resets and invalidate active sessions for administrators who may have clicked suspicious links referencing the endpoint.
• Set the HttpOnly and Secure flags on WordPress authentication cookies to reduce the value of stolen session tokens.

Patch Information

No vendor patch is referenced in the current advisory data. Administrators should monitor the Adivaha Official Website and the WordPress Plugin Page for an updated release that sanitizes the isMobile parameter. Until a fixed version is published, treat any deployment of version 2.3 as exposed.

Workarounds

• Apply a WAF signature that rejects requests where isMobile contains <, >, ", ', or the strings script, onerror, onload, or javascript:.
• Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins.
• Restrict access to /mobile-app/v3/ to known mobile client IP ranges if the endpoint is only used by internal integrations.
• Educate users and administrators to avoid clicking unsolicited links pointing at the WordPress site, especially those containing query parameters.

# Example nginx rule to block XSS payloads in the isMobile parameter
location /mobile-app/v3/ {
    if ($arg_isMobile ~* "(<|%3C|script|onerror|onload|javascript:)") {
        return 403;
    }
    proxy_pass http://wordpress_backend;
}