Themes Vulnerabilities

OneTone <= 3.0.6 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

Due to missing capability checks and security nonces, an unauthenticated attacker can use the theme options import feature to inject JavaScript code into all pages and posts of the website

Affects Themes

onetone
No known fix

References

CVE
CVE-2019-17230
CVE
CVE-2019-17231
URL
https://blog.nintechnet.com/unauthenticated-stored-xss-vulnerability-in-wordpress-onetone-theme-unpatched/
URL
https://blog.sucuri.net/2020/04/onetone-vulnerability-leads-to-javascript-cookie-hijacking.html

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Jerome Bruandet (nintechnet.com)
Verified
No
WPVDB ID
048926c6-1b4b-42c7-a49c-627bd36074ef

Timeline

Publicly Published
2020-04-03 (about 5 years ago)
Added
2020-04-03 (about 5 years ago)
Last Updated
2020-10-02 (about 5 years ago)

Other

Published
Title
Published
2024-04-29
Title
Login Logout Register Menu <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-15
Title
Image Source Control < 2.29.1 - Reflected Cross-Site Scripting
Published
2022-06-23
Title
Loading Page with Loading Screen < 1.0.83 - Admin+ Stored Cross-Site Scripting
Published
2025-04-10
Title
Question Answer < 1.2.71 - Reflected Cross-Site Scripting
Published
2022-10-28
Title
WP Best Quiz <= 1.0 - Author+ Stored XSS