Due to an incomplete fix of CVE-2020-16140 (see https://wpscan.com/vulnerability/10444), the reflected XSS attack is still possible on unauthenticated users, by extracting the search_nonce from the source of the homepage and adding it to the original payload. This is possible because WP nonces are tied to the logged in user ID, however in the case of unauthenticated users, their ID is 0 so they will have the same nonce generated.
Get the search_nonce from the source page, ie ttps://demo.thembay.com/greenmart Add it to the payload URL via the security parameter: https://demo.thembay.com/greenmart/wp-admin/admin-ajax.php?callback=%3Csvg/onload=alert(/XSS/)%3E&action=greenmart_autocomplete_search&term=defaultText&security=448d6cbda2
2020-10-29 (about 2 years ago)
2020-10-29 (about 2 years ago)
2020-10-31 (about 2 years ago)