Salutation Responsive 3.0.15 Cross Site Scripting

`Details  
================  
Software: Salutation Responsive WordPress + BuddyPress Theme  
Version: 3.0.15  
Homepage: https://themeforest.net/item/salutation-responsive-wordpress-buddypress-theme/548199  
Advisory report: https://security.dxw.com/advisories/stored-xss-salutation-theme/  
CVE: Awaiting assignment  
CVSS: 4.9 (Medium; AV:N/AC:M/Au:S/C:P/I:P/A:N)  
  
Description  
================  
Stored XSS in Salutation Responsive WordPress + BuddyPress Theme could allow logged-in users to do almost anything an admin can  
  
Vulnerability  
================  
The theme contains JavaScript (assets/js/onLoad.js) whichA iterates through .section-tabs aA and puts every href value it finds into jQuery(). jQuery() doesnat just search for elements which match a selector (i.e. jQuery(\'.section-tabs\')), it also creates elements (i.e. jQuery(\'<div>\')).  
$(\'.section-tabs\').simpleSlideTop();  
  
// ...  
  
$.fn.simpleSlideTop = function(opts) {  
  
// ...  
  
contentID = $(this).attr(\'href\');  
  
$(contentID).hide();  
An attacker without the unfiltered_htmlA capability would be able to inject arbitrary HTML as if they had the unfiltered_htmlA capability.A With the ability to inject arbitrary HTML, the attacker is ableA add JavaScript which causes a logged-in administrator user to do almost anything a including creating new user accounts, deleting posts, and more.  
  
Proof of concept  
================  
  
Click the activate button on the theme  
Install and activate Revolution Slider plugin  
Create a new user with role ofA Author (by default, Authors do not possess the unfiltered_html capability)  
Log in as that user  
Visit aAdd New Posta screen  
Switch the editor to aTexta mode  
Enter the following:A <div class=\"section-tabs\"><a href=\"<img src=x onerror=alert(1)>\">a</a></div>  
PressA aPublisha  
Press aView posta  
You will see an alertbox appear showing the value a1a  
  
For comparison,A if the same user account entersA <img src=x onerror=alert(1)> or <script>alert(1)</script>, it will be blocked by WordPress.  
  
Mitigations  
================  
Upgrade to versionA 3.0.16 or later.  
  
Disclosure policy  
================  
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/  
  
Please contact us on [email protected] to acknowledge this report if you received it via a third party (for example, [email protected]) as they generally cannot communicate with us on your behalf.  
  
This vulnerability will be published if we do not receive a response to this report with 14 days.  
  
Timeline  
================  
  
2017-04-26: Discovered  
2017-07-25: Reported via contact form onA http://para.llel.us/  
2017-07-25: Vendor reported issue fixed in 3.0.16  
2017-07-31: Advisory published  
  
  
  
Discovered by dxw:  
================  
Tom Adams  
Please visit security.dxw.com for more information.  
  
  
  
  
`