Themes Vulnerabilities

Custom Community < 2.0.25 - Stored Cross-Site Scripting (XSS)

Description

An AJAX action named ‘cc2_advanced_settings_save’ is registered both with and without the ‘nopriv’ prefix. This allows anonymous execution of this AJAX action. The ‘settings[custom_css]’ form field accepts user input, without encoding or validation. This input is then output on every page on the front-end of the site, so long as the Theme is active. This allows for a site-wide, Persistent XSS attack.

Affects Themes

custom-community
Fixed in 2.0.25

References

URL
https://g0blin.co.uk/g0blin-00029/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.3 (high)

Miscellaneous

Submitter
James Hooker
Submitter website
https://research.g0blin.co.uk
Submitter twitter
g0blinResearch
Verified
No
WPVDB ID
7c3aa556-0c8a-4247-ad65-fad74e7cc306

Timeline

Publicly Published
2015-03-09 (about 11 years ago)
Added
2015-03-09 (about 11 years ago)
Last Updated
2021-01-27 (about 5 years ago)

Other

Published
Title
Published
2022-05-31
Title
Easy Pricing Tables < 3.2.1 - Reflected Cross-Site-Scripting
Published
2018-03-08
Title
Import any XML or CSV File to WordPress <= 3.4.5 - Cross-Site Scripting (XSS)
Published
2025-03-21
Title
Easy Custom Admin Bar <= 1.0 - Reflected Cross-Site Scripting via msg Parameter
Published
2025-09-26
Title
kontur Admin Style < 1.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-07-09
Title
Tabs For WPBakery Page Builder <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting