vendor:
Enfold
by:
Francisco Díaz-Pache Alonso, Sergio Corral Cristo and David Álvarez Robles
6.1
CVSS
MEDIUM
Reflected Cross-Site Scripting (XSS)
79
CWE
Product Name: Enfold
Affected Version From: Enfold < 4.8.4
Affected Version To: Enfold < 4.8.4
Patch Exists: YES
Related CWE: CVE-2021-24719
CPE: a:kriesi:enfold
Platforms Tested: Ubuntu
2021
WordPress Theme Enfold 4.8.3 – Reflected Cross-Site Scripting (XSS)
While navigating on WordPress sites with Enfold Theme previous than 4.8.4 version and Avia Page Builder, string “ProofOfConcept” can be reflected literally on pagination numbers. Moreover, the parameter “avia-element-paging” appears and can be used for crafting Google Dork based searches. Changing the “ProofOfConcept” text with a Cross-Site-Scripting (XSS) payload, the page processes and executes it. This is a reflected Cross-Site-Scripting (XSS) vulnerability.
Mitigation:
Enfold Theme should be updated to version 4.8.4 or higher.