Reflected Cross-Site Scripting Vulnerability in DWT - Directory & Listing WordPress Theme
CVE-2025-0170

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Dwt - Directory & Listing WordPress Theme
Vendor: CVE Published:; 16 January 2025

Summary

The DWT - Directory & Listing WordPress Theme exhibits a significant vulnerability due to inadequate input sanitization and output escaping on the 'sort_by' and 'token' parameters. This flaw allows unauthenticated attackers to execute arbitrary web scripts on affected pages. By deceiving users into clicking malicious links, attackers can effectively manipulate web content, enhancing the risk of data theft and user compromise.

Affected Version(s)

DWT - Directory & Listing WordPress Theme * <= 3.3.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://scriptsbundle.gitbook.io/dwt-directory-and-listin...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 16, 2025
Vulnerability Reserved
Jan 2, 2025

Credit

István Márton