Xenon Theme <= 1.3 – Unauthenticated Cross-Site Scripting (XSS) | CVE 2020-14010

Description

The premium Xenon WordPress theme was found to be vulnerable to Unauthenticated Cross-Site Scripting (XSS) in the "q" parameter of the /data/typeahead-generate.php page. The affected version of the plugin was 1.3 and below, however, the vendor fixed the vulnerability but did not bump the version number. Therefore it is impossible to know which versions have been patched, or not. This issue will be updated as soon as we are aware that a new version, with the fix, has been released. If this has happened and we have not updated it yet, please contact us and we'll update this issue.

Proof of Concept

1. go to this path /data/typeahead-generate.php

2. enter this payload <img src=x onerror=alert(1)> in q parameter

Affects Themes

xenon

No known fix

References

CVE

CVE-2020-14010

URL

https://themeforest.net/item/xenon-bootstrap-admin-theme-with-angularjs/9059661

URL

https://knassar702.github.io/cve/xenon/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

Khaled Nassar

Verified

WPVDB ID

a7173558-ec1b-45ec-9a14-45eae42b7ded

Timeline

Publicly Published

2020-03-26 (about 6 years ago)

Added

2020-06-15 (about 5 years ago)

Last Updated

2020-08-12 (about 5 years ago)

Other

Published

Title

Published

2024-10-22

Title

WP Shortcodes Plugin — Shortcodes Ultimate < 7.3.0 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

Published

2025-09-03

Title

PDF for WPForms < 6.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-03-03

Title

Quiz and Survey Master (QSM) < 9.2.1 - Author+ Stored XSS

Published

2024-09-30

Title

Gallery Lightbox < 1.0.0.41 - Authenticated (Author+) Stored Cross-Site Scripting

Published

2025-06-26

Title

A/B Testing for WordPress <= 1.18.2 - Authenticated (Contributor+) Stored Cross-Site Scripting