Themes Vulnerabilities
Greenmart < 2.5.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Description
Due to an incomplete fix of CVE-2020-16140 (see https://wpscan.com/vulnerability/10444), the reflected XSS attack is still possible on unauthenticated users, by extracting the search_nonce from the source of the homepage and adding it to the original payload. This is possible because WP nonces are tied to the logged in user ID, however in the case of unauthenticated users, their ID is 0 so they will have the same nonce generated.
Proof of Concept
Get the search_nonce from the source page, ie ttps://demo.thembay.com/greenmart Add it to the payload URL via the security parameter: https://demo.thembay.com/greenmart/wp-admin/admin-ajax.php?callback=%3Csvg/onload=alert(/XSS/)%3E&action=greenmart_autocomplete_search&term=defaultText&security=448d6cbda2
Affects Themes
Fixed in 2.5.2
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
ErwanLR (WPScan)
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2020-10-29 (about 3 years ago)
Added
2020-10-29 (about 3 years ago)
Last Updated
2020-10-31 (about 3 years ago)