Themes Vulnerabilities

Nova Lite < 1.3.9 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Description

The theme did not properly sanitise the search query, leading to an unauthenticated reflected Cross-Site Scripting issue

Proof of Concept

Affects Themes

nova-lite
Fixed in 1.3.9

References

CVE
CVE-2020-17362

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Talip Karabas
Verified
Yes
WPVDB ID
30a83491-2f59-4c41-98bd-a9e6e5a609d4

Timeline

Publicly Published
2020-08-13 (about 5 years ago)
Added
2020-08-13 (about 5 years ago)
Last Updated
2020-08-14 (about 5 years ago)

Other

Published
Title
Published
2021-11-23
Title
Paid Memberships Pro < 2.6.6 - Reflected Cross-Site Scripting
Published
2023-03-29
Title
Social Proof (Testimonial) Slider < 2.2.4 - Admin+ Stored XSS
Published
2017-11-15
Title
Yoast SEO < 5.8 - Authenticated Cross-Site Scripting (XSS)
Published
2025-04-04
Title
Doppler Forms < 2.6.0 - Contributor+ Stored XSS
Published
2025-01-03
Title
Order Audit Log for WooCommerce <= 2.0 - Reflected Cross-Site Scripting