Enfold Theme < 4.8.4 – Reflected Cross-Site Scripting (XSS) | CVE 2021-24719

Description

The Enfold theme was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder.

Proof of Concept

The issue appears when pagination comes in place while navigating on a WordPress site with Enfold theme active. When that occurs, the parameter “avia-element-paging” appears.

https://[website]/paginated-entry/........&avia-element-paging=2

It is possible for an attacker to add some input text in the URL that is reflected on the response. Therefore, there is a XSS vulnerability that can be exploited crafting a customized URL which includes a link to a paginated entry:

https://[website]/paginated-entry/?ProofOfConcept

"ProofOfConcept" text will be reflected on the server's response. It will be included on generated page buttons.

The attacker can exploit this issue by sending the following payload:

?%2527%253E%253Cscript%253Eeval%2528atob%2528%2522Y29uc29sZS5sb2coZG9jdW1lbnQuY29va2llKQ%253D%253D%2522%2529%2529%253C%252Fscript%253E

which can be decoded as:

'><script>eval(atob("Y29uc29sZS5sb2coZG9jdW1lbnQuY29va2llKQ=="))</script>


and the Base64 payload decoded as:

console.log(document.cookie);