Themes Vulnerabilities

Prolisting - Directory Listing < 1.27 - Unauthenticated Reflected XSS

Description

Unauthenticated Reflected XSS vulnerability was discovered in the «Prolisting - Directory Listing WordPress Theme», tested version — v1.2.

Proof of Concept

Affects Themes

prolist
Fixed in 1.27

References

URL
https://themeforest.net/item/prolist-directory-listing-wordpress-theme/19504953
URL
https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-06-17-prolisting-directory-listing-wordpress-theme-v1-2.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Vlad Vector
Submitter
VLΛD VΞCTOR
Submitter website
https://vladvector.ru
Submitter twitter
vlad_vector
Verified
Yes
WPVDB ID
4704c9fc-ac10-4751-82f6-f4a4a8666ad2

Timeline

Publicly Published
2020-07-13 (about 5 years ago)
Added
2020-07-13 (about 5 years ago)
Last Updated
2020-07-15 (about 5 years ago)

Other

Published
Title
Published
2024-08-26
Title
IntoTheDark <= 1.0.5 - Reflected Cross-Site Scripting
Published
2023-05-02
Title
Newsletter Popup <= 1.2 - Unauthenticated Stored XSS
Published
2025-06-12
Title
Telegram for WP <= 1.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2025-05-01
Title
KiwiChat NextClient <= 6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter
Published
2026-03-03
Title
WPBookit < 1.0.9 - Unauthenticated Stored Cross-Site Scripting via 'wpb_user_name' and 'wpb_user_email' Parameters