Wibar < 1.2.1 – Authenticated Stored Cross-Site Scripting | Theme Vulnerabilities

Description

The theme contains a Brands feature which is vulnerable to stored Cross Site Scripting (XSS) within the logo URL parameter.

Edit (WPScanTeam)

November 27th, 2020 - Vendor Contacted via https://themeftc.ticksy.com/submit/
November 28th-29th, 2020 - Exchanges with vendor's support but they do not understand the issue.
November 30th, 2020 - Escalated to Envato and disclosure
December 3rd, 2020 - v1.2.1 released, apparently fixing the issue (but we were not able to confirm)

Affects Themes

Fixed in 1.2.1

References

Exploitdb

URL

https://themeforest.net/item/wibar-responsive-woocommerce-wordpress-theme/20994798

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ilca Lucian Florin

Verified

No

WPVDB ID

f198c8b7-34b6-48d2-9581-8ab62d7ddcef

Timeline

Publicly Published

2020-11-30 (about 5 years ago)

Added

2020-11-30 (about 5 years ago)

Last Updated

2020-12-03 (about 5 years ago)

Other

Published

Title

Published

2024-09-30

Title

Create < 2.9.2 - Authenticated (Author+) Stored Cross-Site Scripting

Published

2023-04-07

Title

Email Subscription Popup < 1.2.17 - Reflected XSS

Published

2024-12-17

Title

Contests by Rewards Fuel < 2.0.66 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-09-26

Title

Tutor LMS < 2.0.10 - Admin+ Stored Cross-Site Scripting

Published

2023-06-15

Title

CHP Ads Block Detector < 3.9.8 - Subscriber+ Stored Cross-Site Scripting