WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

Themes Vulnerabilities

Wibar < 1.2.1 - Authenticated Stored Cross-Site Scripting

Description

The theme contains a Brands feature which is vulnerable to stored Cross Site Scripting (XSS) within the logo URL parameter.

Edit (WPScanTeam)

November 27th, 2020 - Vendor Contacted via https://themeftc.ticksy.com/submit/
November 28th-29th, 2020 - Exchanges with vendor's support but they do not understand the issue.
November 30th, 2020 - Escalated to Envato and disclosure
December 3rd, 2020 - v1.2.1 released, apparently fixing the issue (but we were not able to confirm)

Affects Themes

wibar
Fixed in version 1.2.1

References

URL
https://themeforest.net/item/wibar-responsive-woocommerce-wordpress-theme/20994798
ExploitDB
49107

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Ilca Lucian Florin

Verified

No

WPVDB ID
f198c8b7-34b6-48d2-9581-8ab62d7ddcef

Timeline

Publicly Published

2020-11-30 (about 2 years ago)

Added

2020-11-30 (about 2 years ago)

Last Updated

2020-12-03 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin