CVE-2019-17231
published 2020-04-03CVE-2019-17231: includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress has multiple stored XSS issues.
PriorityP180medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.22%
64.8th percentile
includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress has multiple stored XSS issues.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mageewp | onetone | <= 3.0.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
matchers: status_code == 200, contains(content_type, "text/html"), contains_all(body, "console.log({{string}})","top-bar-info")- →Exploit payload injects console.log() JavaScript via stored XSS; successful exploitation is confirmed by the presence of 'console.log({{string}})' and 'top-bar-info' in the HTTP response body with status 200 and content-type text/html.
- →The import/settings endpoint can be used to deliver the XSS payload; a successful import returns 'Import successful.' in the response body.
- →The vulnerable code resides in includes/theme-functions.php of the OneTone WordPress theme (versions through 3.0.6); monitor for unexpected modifications or suspicious output from this file. ↗
- →The XSS payload is stored via a theme option that controls the top bar; look for the 'display_top_bar':'yes' setting being set alongside injected script content.
- ·The Nuclei template uses a two-step detection: first POST to import a crafted payload, then GET '/' to verify XSS reflection. Both steps must succeed (condition: and) for a true positive.
- ·The {{string}} placeholder in the template is a dynamic value substituted at runtime by the scanner; the actual injected string will vary per scan execution.
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8fpq-rc59-2p83: includes/theme-functions
ghsa_unreviewed·2022-05-24
CVE-2019-17231 [MEDIUM] GHSA-8fpq-rc59-2p83: includes/theme-functions
includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress has multiple stored XSS issues.
VulnCheck
mageewp onetone Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2019·CVSS 6.1
CVE-2019-17231 [MEDIUM] mageewp onetone Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
mageewp onetone Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress has multiple stored XSS issues.
Affected: mageewp onetone
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.sucuri.net/2020/04/onetone-vulnerability-leads-to-javascript-cookie-hijacking.html
No detection rules found.
Nuclei
WordPress OneTone theme <= 3.0.6 – Unauthenticated Stored XSS
nuclei·CVSS 6.1
CVE-2019-17231 [MEDIUM] WordPress OneTone theme <= 3.0.6 – Unauthenticated Stored XSS
WordPress OneTone theme console.log({{string}})","display_top_bar":"yes"}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "Import successful.")'
condition: and
internal: true
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "console.log({{string}})","top-bar-info")'
condition: and
# digest: 4a0a0047304502202b1801014bf3018a63c1964b0e9d0cdb5a032be5b306330d12650ee60989884b022100f0791b5f4e70d05bf2c545615f99f3e868a0def3bb29ddbe6dac341ffd072085:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2020-04-03
Published
Exploited in the wild