ROSECURIFY

WordPress Twenty Fifteen Theme - DOM XSS

Advisory ID: RO-15-004
CVE ID: CVE-2015-3429
Severity: Medium
Vendor: WordPress
Product: Twenty Fifteen Theme
Version: *

Overview #

A DOM-based Cross-site Scripting (XSS) vulnerability exists in the WordPress Twenty Fifteen Theme. The vulnerability allows remote attackers to inject arbitrary web script or HTML via DOM manipulation.

Vulnerability Details #

Affected Versions: All versions before patch

Root Cause: Insufficient input validation in client-side JavaScript allows DOM-based XSS attacks.

Exploitation Requirements #

  • No authentication required
  • Victim must visit a crafted URL

Impact #

Remote attackers can exploit this vulnerability to:

  • Execute JavaScript in the victim's browser
  • Steal WordPress session cookies
  • Perform actions on behalf of users

Proof of Concept #

Details available upon request.

Solution #

Update WordPress and the Twenty Fifteen theme to the latest versions.

References #

Timeline:

  • [2015-01-01] - Discovered

Credits: Omar Kurt

Press / to search, Esc to close