Themes Vulnerabilities

BeTheme < 26.6.3 - Subscriber+ Stored XSS

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Stored Cross-Site Scripting attacks

Affects Themes

betheme
Fixed in 26.6.3

References

CVE
CVE-2022-45363

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
dbd061df-fef9-4cfd-b4ae-ae5fae5501a1

Timeline

Publicly Published
2022-11-22 (about 3 years ago)
Added
2022-11-22 (about 3 years ago)
Last Updated
2022-11-23 (about 3 years ago)

Other

Published
Title
Published
2024-09-09
Title
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor < 2.0.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via data-jltma-wrapper-link Element
Published
2025-09-22
Title
Dialogity Free Live Chat < 1.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-10-31
Title
SKSDEV Toolkit <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-02-21
Title
WOO Codice Fiscale <= 1.6.3 - Reflected Cross-Site Scripting
Published
2025-12-28
Title
FlippingBook < 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting