Stored XSS in Salutation Responsive WordPress + BuddyPress Theme could allow logged-in users to do almost anything an admin can

Score Vector Complexity Authentication Confidentiality Integrity Availability
4.9
Medium
Network Medium Single Partial Partial None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Vulnerability

The theme contains JavaScript (assets/js/onLoad.js) which iterates through .section-tabs a and puts every href value it finds into jQuery(). jQuery() doesn’t just search for elements which match a selector (i.e. jQuery('.section-tabs')), it also creates elements (i.e. jQuery('<div>')).

$('.section-tabs').simpleSlideTop();

// ...

$.fn.simpleSlideTop = function(opts) {

    // ...

    contentID = $(this).attr('href');

    $(contentID).hide();

An attacker without the unfiltered_html capability would be able to inject arbitrary HTML as if they had the unfiltered_html capability. With the ability to inject arbitrary HTML, the attacker is able add JavaScript which causes a logged-in administrator user to do almost anything – including creating new user accounts, deleting posts, and more.

Proof of concept

  1. Click the activate button on the theme
  2. Install and activate Revolution Slider plugin
  3. Create a new user with role of Author (by default, Authors do not possess the unfiltered_html capability)
  4. Log in as that user
  5. Visit “Add New Post” screen
  6. Switch the editor to “Text” mode
  7. Enter the following: <div class="section-tabs"><a href="&lt;img src=x onerror=alert(1)&gt;">a</a></div>
  8. Press “Publish”
  9. Press “View post”
  10. You will see an alertbox appear showing the value “1”

For comparison, if the same user account enters <img src=x onerror=alert(1)> or <script>alert(1)</script>, it will be blocked by WordPress.

Mitigation/further actions

Upgrade to version 3.0.16 or later.