Themes Vulnerabilities
Multiple Themes - Reflected Cross-Site Scripting via Customizer Notify
Description
The quality_customizer_notify_dismiss_action and ti_customizer_notify_dismiss_recommended_plugins AJAX actions (names can differ depending on the theme), available to authenticated users in multiple themes do not validate or escape the id parameter before outputting it back in the response, leading to Reflected Cross-Site Scripting issues. Furthermore, the actions are also missing CSRF and capability checks (however the risk is extremely low, only allowing attackers to dismiss recommendations).
Vendors were notified on October 20th, 2021.
Proof of Concept
With the designexo theme installed and active: https://example.com/wp-admin/admin-ajax.php?action=quality_customizer_notify_dismiss_action&id=%3Cscript%3Ealert(/XSS/)%3C/script%3E https://example.com/wp-admin/admin-ajax.php?action=ti_customizer_notify_dismiss_recommended_plugins&id=%3Cscript%3Ealert(/XSS/)%3C/script%3E AJAX actions may be different depending on the affected theme
Affects Themes
Fixed in 3.7
Fixed in 1.6.7
Fixed in 2.9.7
Fixed in 2.3.5
Fixed in 5.7 
No known fix
Fixed in 2.3.6
Fixed in 1.2.3
Fixed in 3.2.6
No known fix
No known fix
Fixed in 0.2.4
No known fix
Fixed in 1.1.9
Fixed in 0.1.4
Fixed in 2.3.8
Fixed in 1.1
No known fix
Fixed in 2.4.9
No known fix
No known fix
Fixed in 2.0.3
No known fix
No known fix
No known fix
No known fix
No known fix
No known fix
No known fix
Fixed in 1.1.6
Fixed in 2.7.4
Fixed in 2.1.4
Fixed in 1.2.3
No known fix
Fixed in 1.7.7
Fixed in 1.7.2
Fixed in 2.2.1
Fixed in 1.4.1
Fixed in 1.4.2
Fixed in 2.0.5
No known fix
Fixed in 1.1.5
Fixed in 1.1.2 Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-02-14 (about 2 years ago)
Added
2022-02-14 (about 2 years ago)
Last Updated
2023-07-26 (about 10 months ago)
WPScan 