Themes Vulnerabilities

Superlist <= 2.9.2 - Stored Cross-Site Scripting (XSS)

Description

Persistent XSS was discovered in the 'Superlist - Directory WordPress Theme', the version tested was v2.9.2.

Edit (WPScanTeam):
December 2nd, 2019 - Envato Contacted
December 2nd, 2019 - Envato Investigating
December 12th, 2019 - No updates, disclosing

Proof of Concept

Affects Themes

superlist
No known fix

References

URL
https://themeforest.net/item/superlist-directory-wordpress-theme/13507181

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
SUBVΞRSΛ
Submitter
SUBVΞRSΛ
Verified
No
WPVDB ID
9a1ac8f9-fe25-4207-b505-04c0dc2a2ad5

Timeline

Publicly Published
2019-12-02 (about 6 years ago)
Added
2019-12-12 (about 6 years ago)
Last Updated
2021-01-19 (about 5 years ago)

Other

Published
Title
Published
2023-07-12
Title
Media Library Assistant < 3.08 - Reflected Cross-Site Scripting
Published
2024-12-08
Title
LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes < 8.0.1 - Reflected XSS
Published
2026-05-04
Title
Blog Settings <= 1.0 - Reflected Cross-Site Scripting via 'page' Parameter
Published
2026-02-18
Title
Institute Management <= 5.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Enquiry Form Title' Setting
Published
2023-11-20
Title
myCred < 2.6.2 - Contributor+ Stored XSS