Themes Vulnerabilities

Nova Lite < 1.3.9 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Description

The theme did not properly sanitise the search query, leading to an unauthenticated reflected Cross-Site Scripting issue

Proof of Concept

/?s=%3Cimg%20src%20onerror=alert(/XSS/)%3E

Affects Themes

nova-lite
Fixed in 1.3.9

References

CVE
CVE-2020-17362

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Talip Karabas
Verified
Yes
WPVDB ID
30a83491-2f59-4c41-98bd-a9e6e5a609d4

Timeline

Publicly Published
2020-08-13 (about 3 years ago)
Added
2020-08-13 (about 3 years ago)
Last Updated
2020-08-14 (about 3 years ago)

Other

Published
Title
Published
2023-11-02
Title
Digirisk 6.0.0.0 - Reflected Cross-Site Scripting
Published
2022-07-11
Title
Featured Image from URL < 4.0.1 - Admin+ Stored Cross-Site Scripting
Published
2024-05-14
Title
Import and export users and customers < 1.26.7 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-11-21
Title
EventPrime – Modern Events Calendar, Bookings and Tickets < 3.3.3 - Contributor+ Stored XSS
Published
2023-11-13
Title
Uploading SVG, WEBP and ICO files <= 1.2.1 - Author+ Stored XSS via SVG