Themes Vulnerabilities

Soledad < 8.2.5 - Reflected Cross-site Scripting

Description

The theme does not sanitise the {id,datafilter[type],...} parameters in its penci_more_slist_post_ajax AJAX action, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.

Proof of Concept

Affects Themes

soledad
Fixed in 8.2.5

References

CVE
CVE-2022-3209

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Truoc Phan
Submitter
Truoc Phan
Submitter website
https://www.facebook.com/292706121240740
Submitter twitter
truocphan
Verified
Yes
WPVDB ID
7a244fb1-fa0b-4294-9b51-588bf5d673a2

Timeline

Publicly Published
2022-09-13 (about 3 years ago)
Added
2022-09-13 (about 3 years ago)
Last Updated
2022-09-13 (about 3 years ago)

Other

Published
Title
Published
2023-10-19
Title
Motors – Car Dealer & Classified Ads < 1.4.7 - Reflected XSS
Published
2025-03-02
Title
Pre Order Addon for WooCommerce – Advance Order/Backorder Plugin <= 2.2 - Reflected Cross-Site Scripting
Published
2022-05-30
Title
New User Approve < 2.4.1 - Reflected Cross-Site Scripting
Published
2025-12-05
Title
TR Timthumb <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Published
2023-04-19
Title
Login Page Styler < 6.2.5 - Admin+ Stored XSS