Themes Vulnerabilities

Ask Me < 6.8.2 - Reflected Cross-Site Scripting

Description

The theme does not properly sanitise and escape several of the fields in the Edit Profile page, leading to Reflected Cross-Site Scripting issues

Proof of Concept

Affects Themes

ask-me
Fixed in 6.8.2

References

CVE
CVE-2022-1241

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Veshraj Ghimire
Submitter
Veshraj Ghimire
Submitter website
https://veshrajghimire.com.np
Submitter twitter
GhimireVeshraj
Verified
Yes
WPVDB ID
3258393a-eafb-4356-994e-2ff8ce223c9b

Timeline

Publicly Published
2022-05-16 (about 3 years ago)
Added
2022-05-16 (about 3 years ago)
Last Updated
2022-05-17 (about 3 years ago)

Other

Published
Title
Published
2023-02-20
Title
FluentSMTP < 2.2.3 - Stored XSS via Email Logs
Published
2025-03-25
Title
Ayyash Studio <= 1.0.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2025-05-06
Title
CarDealerPress < 6.8.2505.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via saleclass Parameter
Published
2024-11-12
Title
jwp-a11y <= 4.1.7 - Admin+ Stored XSS
Published
2024-01-22
Title
Popup Box Pro < 20.9.0 - Admin+ Stored XSS