lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 31 Jul 2017 14:49:19 +0000
From: dxw Security <>
Subject: [FD] Stored XSS in Salutation Responsive WordPress + BuddyPress
	Theme could allow logged-in users to do almost anything an
	admin can (WordPress plugin)

Software: Salutation Responsive WordPress + BuddyPress Theme
Version: 3.0.15
Advisory report:
CVE: Awaiting assignment
CVSS: 4.9 (Medium; AV:N/AC:M/Au:S/C:P/I:P/A:N)

Stored XSS in Salutation Responsive WordPress + BuddyPress Theme could allow logged-in users to do almost anything an admin can

The theme contains JavaScript (assets/js/onLoad.js) which iterates through .section-tabs a and puts every href value it finds into jQuery(). jQuery() doesn’t just search for elements which match a selector (i.e. jQuery(\'.section-tabs\')), it also creates elements (i.e. jQuery(\'<div>\')).

// ...

$.fn.simpleSlideTop = function(opts) {

    // ...

    contentID = $(this).attr(\'href\');

An attacker without the unfiltered_html capability would be able to inject arbitrary HTML as if they had the unfiltered_html capability. With the ability to inject arbitrary HTML, the attacker is able add JavaScript which causes a logged-in administrator user to do almost anything – including creating new user accounts, deleting posts, and more.

Proof of concept

Click the activate button on the theme
Install and activate Revolution Slider plugin
Create a new user with role of Author (by default, Authors do not possess the unfiltered_html capability)
Log in as that user
Visit “Add New Post” screen
Switch the editor to “Text” mode
Enter the following: <div class=\"section-tabs\"><a href=\"&lt;img src=x onerror=alert(1)&gt;\">a</a></div>
Press “Publish”
Press “View post”
You will see an alertbox appear showing the value “1”

For comparison, if the same user account enters <img src=x onerror=alert(1)> or <script>alert(1)</script>, it will be blocked by WordPress.

Upgrade to version 3.0.16 or later.

Disclosure policy
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy:

Please contact us on to acknowledge this report if you received it via a third party (for example, as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.


2017-04-26: Discovered
2017-07-25: Reported via contact form on
2017-07-25: Vendor reported issue fixed in 3.0.16
2017-07-31: Advisory published

Discovered by dxw:
Tom Adams
Please visit for more information.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists