Reflected Cross-Site Scripting Vulnerability in DeoThemes WordPress Products
CVE-2023-3708

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Everse; Nokke; MedikAid | Medical Health Care RTL WordPress Theme; Arendelle
Vendor: CVE Published:; 18 July 2023

Summary

Certain WordPress themes developed by DeoThemes are prone to a reflected Cross-Site Scripting (XSS) vulnerability due to inadequate input sanitization and output escaping in their breadcrumb feature. This security flaw enables unauthenticated attackers to craft and inject malicious scripts into pages viewed by end-users. An attacker can exploit this vulnerability by successfully persuading users to click a specially crafted link, potentially leading to unauthorized actions performed in the context of the affected user session.

Affected Version(s)

Amela * <= 1.0.13

Arendelle * <= 1.1.12

Everse * <= 1.8.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themes.trac.wordpress.org/changeset?sfp_email=&sf...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 18, 2023
Vulnerability Reserved
Jul 17, 2023

Credit

FearZzZz