if ( 'update-core' === $current_screen->id && isset( $_REQUEST['update_theme'] )) {
add_action('admin_head', function() {
$theme_name = $_REQUEST['update_theme'];
ob_start(); ?>
<script> jQuery(window).ready(function() {
'use strict';
var $formUpgradeThemes = jQuery('form[name="upgrade-themes"]'); if ( $formUpgradeThemes.length ) { var $input = $formUpgradeThemes.find('input[type="checkbox"][value="<?php echo $theme_name ?>"]'); if ($input.length) { $input.attr( 'checked', true ); $formUpgradeThemes.submit(); } } }); </script>
<?php echo ob_get_clean(); }); } });
The line 8 (383 in functions.php) just read the update_theme variable from the URL in the browser, then line 21 (395 in functions.php) will print it as is, without any escape or sanitization.
https://themeforest.net/item/newspaper/5489609
The version 10.3.4 fixed the flaw, just update and you’re good.
Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.
