Cyber Security Works Inc. Has Rebranded as Securin Inc.
imge
Get Started!

Securin Zero-Days

CVE-2020-16140 – Reflected Cross-Site Scripting in Thembay

Severity:High

Vendor

Thembay

Affected Product

Greenmart version 2.4.2.

CVE

CVE-2020-16140

Securin ID

2020-CSW-07-1045

Status

Fixed

Date

July 17, 2020

Description

A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload was executed when the user loads a malicious link generated using the ajax call back in Greenmart autocomplete search.

Proof of Concept (POC):

The following vulnerability was tested on the Greenmart theme on WordPress with version 5.4.2.

Issue 01: Reflected cross-site scripting.

  1. Install the Greenmart theme on WordPress with version 5.4.2.

Figure-01: The view-source of the WordPress application, which confirms the theme is Greenmart.

 

Figure-02: Greenmart search functionality

Figure-03: The search action related backend ajax call

Figure-04: The ajax call to “greenmart_autocomplete_search” action and the response from the server

 

Figure-05: Call-back request parameter with payload and the response from the server.

 

2. Click on the following link http://localhost/wordpress/wp-admin/admin-ajax.php?callback=–>%27″><svg/onload=alert(document.cookie)>&action=greenmart_autocomplete_search&term=defaultText&_=1593737670196

Figure-06: The call-back parameter is vulnerable to Reflected XSS, and it’s getting executed in the user browser context.