SecurinZero Days
    Email Us
    Zero-Day Research/CVE-2020-16140
    ▲ MediumCVSS 6.1✓ PatchedEPSS 0.00207%

    Reflected Cross-Site Scripting in Thembay

    The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.

    CVE IDCVE-2020-16140
    CVSS v3.16.1 Medium
    VendorThembay
    CWECWE-79
    DisclosedJul 17, 2020
    StatusFixed
    All advisories
    • 01Description
    • 02Proof of Concept
    • 03Impact
    • 04Remediation
    • 05Timeline
    • 06References
    01/Description

    What this actually is.

    Technical background, root cause, and affected surface.

    A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload was executed when the user loads a malicious link generated using the ajax call back in Greenmart autocomplete search.

    Vendor
    Thembay
    Affected Product
    Greenmart version 2.4.2.
    CVE
    CVE-2020-16140
    Securin ID
    2020-CSW-07-1045
    Status
    Fixed
    Date
    July 17, 2020
    Severity
    Medium
    CVSS Score
    6.1
    Vector
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    CWE
    CWE-79
    02/Proof of Concept

    From one request
    to root shell.

    Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

    6.1CVSS 3.1
    VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    ScopeChanged
    ImpactC:L / I:L / A:N
    SeverityMedium

    The following vulnerability was tested on the Greenmart theme on WordPress with version 5.4.2.

    PoC · Exploitation Steps▲ trigger
    01Issue 01: Reflected cross-site scripting.02Figure-01: The view-source of the WordPress application, which confirms the theme is Greenmart.03Figure-02: Greenmart search functionality04Figure-03: The search action related backend ajax call05Figure-04: The ajax call to “greenmart_autocomplete_search” action and the response from the server06Figure-05: Call-back request parameter with payload and the response from the server.072. Click on the following link http://localhost/wordpress/wp-admin/admin-ajax.php?callback=–>%27″><svg/onload=alert(document.cookie)>&action=greenmart_autocomplete_search&term=defaultText&_=159373767019608Figure-06: The call-back parameter is vulnerable to Reflected XSS, and it’s getting executed in the user browser context.

    Figure-07: Wp-config configuration related to protecting XSS.

    03/Impact

    What an attacker does to you.

    Post-exploitation outcomes mapped to CVSS impact metrics.

    When the user input from a URL or POST data is reflected on the page without being stored, thus allowing the attacker to inject malicious content. This means that an attacker has to send a crafted malicious URL or post form to the victim to insert the payload.

    04/Remediation

    Fix it. In this order.

    A runbook, not a checklist. Sequence matters — assume compromise before you act.

    Download and apply the relevant patches from the vendor:

    https://docs.thembay.com/greenmart/

    Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2020-16140, contact disclose@securin.io
    05/Disclosure Timeline

    Vendors moved in days.
    Attackers in hours.

    Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

    July 17, 2020

    Reported to Vendor

    July 17, 2020

    Vendor Responded

    July 18, 2020

    Vendor Released Fixed

    July 29, 2020

    CVE Assigned

    Disclosed 1 day after discovery

    06/References

    Cite, verify, go deeper.

    Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

    NVD

    NVD — CVE-2020-16140

    nvd.nist.gov/vuln/detail/CVE-2020-16140 →
    SEC

    Securin VI — Full Technical Analysis

    vi.securin.io →

    Let Securin level up your security posture.

    Get a live exposure assessment, threat-actor briefing tailored to your sector, and IoC mapping for your SIEM.

    Browse all advisories
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum