Stored Cross-Site Scripting vulnerabilities in Themify Portfolio Post <= 1.1.5 allow low-privileged users (Contributor+) to inject arbitrary Javascript code or HTML in posts where the Themify Custom Panel is embedded.
1. As a contributor, go into βPortfoliosβ tab from the sidebar and create a new Portfolios 2. In the Themify Custom Panel section, Input an XSS vector to : - Date - Client - Services - Link to Launch ex: 3. Publish/Send for review and visit created post/preview as editor/admin to trigger XSS.
CPE | Name | Operator | Version |
---|---|---|---|
themify-portfolio-post | lt | 1.1.6 |