WordPress Twenty Fifteen Theme DOM Cross Site Scripting

WordPress Twenty Fifteen Theme DOM Cross Site Scripting

WordPress Twenty Fifteen WordPress Twenty Fifteen Theme DOM Cross Site Scripting

WordPress Twenty Fifteen Theme - DOM XSS
Advisory ID: RO-15-004
CVE ID: CVE-2015-3429
Severity: Medium
Vendor: WordPress
Product: Twenty Fifteen Theme
Version: *


Overview #

A DOM-based Cross-site Scripting (XSS) vulnerability exists in the WordPress Twenty Fifteen Theme. The vulnerability allows remote attackers to inject arbitrary web script or HTML via DOM manipulation.


Vulnerability Details #

Affected Versions: All versions before patch

Root Cause: Insufficient input validation in client-side JavaScript allows DOM-based XSS attacks.


Exploitation Requirements #

No authentication required
Victim must visit a crafted URL

Impact #

Remote attackers can exploit this vulnerability to:

Execute JavaScript in the victim's browser
Steal WordPress session cookies
Perform actions on behalf of users

Proof of Concept #

Details available upon request.


Solution #

Update WordPress and the Twenty Fifteen theme to the latest versions.


References #

CVE-2015-3429

Timeline:

[2015-01-01] - Discovered

Credits: Omar Kurt