Themes Vulnerabilities

Multiple DeoThemes Themes - Reflected Cross-Site Scripting

Description

Several themes for WordPress by DeoThemes are vulnerable to Reflected Cross-Site Scripting via breadcrumbs in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Themes

amela
Fixed in 1.0.14
arendelle
Fixed in 1.1.13
nokke
Fixed in 1.2.4
everse
Fixed in 1.8.12
medikaid
Fixed in 1.1.3

References

CVE
CVE-2023-3708
URL
https://www.wordfence.com/threat-intel/vulnerabilities/detail/multiple-deothemes-themes-various-versions-reflected-cross-site-scripting

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
FearZzZz
Verified
Yes
WPVDB ID
7bbf9b3f-ed69-4250-b603-b35af7f64869

Timeline

Publicly Published
2023-07-17 (about 2 years ago)
Added
2023-07-20 (about 2 years ago)
Last Updated
2023-07-20 (about 2 years ago)

Other

Published
Title
Published
2024-11-13
Title
Linear < 2.8.1 - Contributor+ Stored XSS
Published
2025-10-02
Title
Ultimate Multi Design Video Carousel <= 1.4 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2025-01-15
Title
Social Pug: Author Box <= 1.0.0 - Reflected Cross-Site Scripting
Published
2017-10-16
Title
Easy Appointments < 1.12.0 - Cross-Site Scripting (XSS)
Published
2022-02-17
Title
Profile Builder < 3.6.2 - Reflected Cross-Site Scripting