Themes Vulnerabilities

Car Repair Services < 4.0 - Unauthenticated Reflected XSS & XFS

Description

The theme did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue

Proof of Concept

Affects Themes

car-repair-services
Fixed in 4.0

References

CVE
CVE-2021-24335
URL
https://themeforest.net/item/car-repair-services-auto-mechanic-wordpress-theme/19823557
URL
https://m0ze.ru/vulnerability/[2021-02-12]-[WordPress]-[CWE-79]-Car-Repair-Services-WordPress-Theme-v3.9.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
m0ze
Submitter
m0ze
Submitter website
https://m0ze.ru
Submitter twitter
vladm0ze
Verified
Yes
WPVDB ID
39258aba-2449-4214-a490-b8e46945117d

Timeline

Publicly Published
2021-05-17 (about 4 years ago)
Added
2021-05-17 (about 4 years ago)
Last Updated
2021-05-18 (about 4 years ago)

Other

Published
Title
Published
2025-07-16
Title
JetSmartFilters < 3.6.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-01-05
Title
Widgets for Google Reviews < 9.8 - Contributor+ Stored XSS
Published
2025-04-04
Title
Simple WP Events < 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-09-05
Title
Ldap WP Login / Active Directory Integration < 3.0.2 - Reflected Cross-Site Scripting
Published
2024-10-23
Title
WP Adminify – Best WordPress Custom Dashboard Plugin < 4.0.1.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload