OneTone <= 3.0.6 - Unauthenticated Stored Cross-Site Scripting (XSS)



Description
"Due to missing capability checks and security nonces, an unauthenticated attacker can use the theme options import feature to inject JavaScript code into all pages and posts of the website"

Affects Theme

no known fix

References

CVE 2019-17230
CVE 2019-17231
URL https://blog.nintechnet.com/unauthenticated-stored-xss-vulnerability-in-wordpress-onetone-theme-unpatched/
URL https://blog.sucuri.net/2020/04/onetone-vulnerability-leads-to-javascript-cookie-hijacking.html

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Jerome Bruandet (nintechnet.com)
Views 2760
Verified No
WPVDB ID 10165

Timeline

Publicly Published 2020-04-03 (about 2 months ago)
Added 2020-04-03 (about 2 months ago)
Last Updated 2020-04-17 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin