Web Flaws and Vulnerabilities

Newspaper Theme <= 10.3.3 – Reflected XSS in admin area

Blog Web Flaws and Vulnerabilities Newspaper Theme <= 10.3.3 – Reflected XSS in admin area
0 comments

Newspaper is a famous theme from TagDiv on themeforest, with about 95,000 sells.

Reflected XSS

We found in the file functions.php a XSS vulnerability, allowing an attacker to push JavaScript code into the admin dashboard.

Check the code:

add_action( 'current_screen', function() {
    $current_screen = get_current_screen();

    if ( 'update-core' === $current_screen->id && isset( $_REQUEST['update_theme'] )) {

        add_action('admin_head', function() {

            $theme_name = $_REQUEST['update_theme'];

            ob_start();
            ?>

            <script>
                jQuery(window).ready(function() {

                    'use strict';

                    var $formUpgradeThemes = jQuery('form[name="upgrade-themes"]');
                    if ( $formUpgradeThemes.length ) {
                        var $input = $formUpgradeThemes.find('input[type="checkbox"][value="<?php echo $theme_name ?>"]');
                        if ($input.length) {
                            $input.attr( 'checked', true );
                            $formUpgradeThemes.submit();
                        }
                    }
                });
            </script>

            <?php
            echo ob_get_clean();
        });
    }
});

The line 8 (383 in functions.php) just read the update_theme variable from the URL in the browser, then line 21 (395 in functions.php) will print it as is, without any escape or sanitization.

https://themeforest.net/item/newspaper/5489609

The version 10.3.4 fixed the flaw, just update and you’re good.

0 comments