Themes Vulnerabilities

Meris <= 1.1.2 - Reflected XSS

Description

The theme does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Affects Themes

meris
No known fix

References

CVE
CVE-2023-7194

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Angelo Delicato
Submitter
Angelo Delicato
Submitter website
https://www.thelicato.io
Submitter twitter
thelicato
Verified
Yes
WPVDB ID
e20292af-939a-4cb1-91e4-5ff6aa0c7fbe

Timeline

Publicly Published
2024-01-01 (about 1 year ago)
Added
2024-01-01 (about 1 year ago)
Last Updated
2024-01-01 (about 1 year ago)

Other

Published
Title
Published
2020-05-07
Title
Iframe < 4.5 - Authenticated Stored Cross Site Scripting (XSS)
Published
2023-10-18
Title
Smart App Banner < 1.1.4 - Admin+ Stored XSS
Published
2024-06-22
Title
WP Affiliate Platform < 6.5.1 - Stored XSS via CSRF
Published
2021-06-16
Title
Backup by 10Web <= 1.0.20 - Reflected Cross-Site Scripting (XSS)
Published
2023-08-17
Title
RSVPMarker < 10.6.7 - Unauthenticated Stored XSS