Themes Vulnerabilities

Findgo - Directory Listing < 1.3.32 - Unauthenticated Reflected and Authenticated Stored XSS

Description

Multiple Cross-Site Scripting (XSS) vulnerabilities were discovered in the «Findgo - Directory Listing WordPress Theme», tested version — v1.3.30.

Proof of Concept

Affects Themes

findgo
Fixed in 1.3.32

References

URL
https://themeforest.net/item/findgo-directory-listing-wordpress-theme/21943352
URL
https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-06-17-findgo-directory-listing-wordpress-theme-v1-3-30.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Vlad Vector
Submitter
VLΛD VΞCTOR
Submitter website
https://vladvector.ru
Submitter twitter
vlad_vector
Verified
Yes
WPVDB ID
1d0b3534-b53d-40eb-b379-5ddd1f536620

Timeline

Publicly Published
2020-07-13 (about 5 years ago)
Added
2020-07-13 (about 5 years ago)
Last Updated
2020-07-15 (about 5 years ago)

Other

Published
Title
Published
2024-04-15
Title
Shortcodes and extra features for Phlox theme < 2.15.8 - Contributor+ Stored XSS via aux_gmaps Shortcode
Published
2023-10-25
Title
VK Filter Search < 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-03-17
Title
WP Azure offload <= 2.0 - Reflected Cross-Site Scripting
Published
2024-12-11
Title
WP GeoNames < 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-08-27
Title
Accordion Image Menu <= 3.1.3 - Stored XSS via CSRF