Themes Vulnerabilities

TheRoof < 1.0.4 - Unauthenticated Reflected XSS

Description

The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against visitors following crafted links.

Affects Themes

theroof
Fixed in 1.0.4

References

CVE
CVE-2023-29430

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
FearZzZz
Verified
No
WPVDB ID
88d23e56-216e-4fde-a825-25e03b04975f

Timeline

Publicly Published
2023-06-26 (about 2 years ago)
Added
2023-06-27 (about 2 years ago)
Last Updated
2023-06-27 (about 2 years ago)

Other

Published
Title
Published
2026-01-06
Title
Niche Hero | Beautifully-designed blocks in seconds <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'spacing' Shortcode Attribute
Published
2014-04-25
Title
Pay Per Media Player <= 1.24 - Multiple XSS
Published
2026-01-08
Title
SlimStat Analytics < 5.3.4 - Unauthenticated Stored Cross-Site Scripting via 'fh' Parameter
Published
2014-08-01
Title
Pinboard 1.0.6 - includes/theme-options.php tab Parameter XSS
Published
2025-12-12
Title
Colibri Page Builder < 1.0.342 - Authenticated (Contributor+) Stored Cross-Site Scripting