Themes Vulnerabilities

Modern Theme <= 1.4.1 - DOM Cross-Site Scripting (XSS)

Description

The Modern WordPress theme was affected by a DOM Cross-Site Scripting (XSS) security vulnerability.

Proof of Concept

http://www.example.com/wp-content/themes/modern/genericons/example.html#<img src=x onerror=alert(1)>

Affects Themes

modern
Fixed in 1.4.2

References

CVE
CVE-2015-9503
URL
https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss.html

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
Yes
WPVDB ID
a1d88840-10ba-4d27-bc3a-782cc617484b

Timeline

Publicly Published
2015-05-12 (about 9 years ago)
Added
2015-05-14 (about 8 years ago)
Last Updated
2020-09-22 (about 3 years ago)

Other

Published
Title
Published
2023-06-08
Title
WP Mail Logging < 1.11.2 - Unauthenticated Stored Cross-Site Scripting
Published
2015-05-30
Title
Social Media & Share Icons <= 1.1.1.11 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2024-01-26
Title
coreActivity < 1.8.1 - Unauthenticated Stored XSS
Published
2023-11-15
Title
BMI Calculator Plugin <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-02-26
Title
SoundCloud Shortcode < 4.0.2 - Contributor+ Stored XSS