cbcvebase.
CVE-2019-17231
published 2020-04-03

CVE-2019-17231: includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress has multiple stored XSS issues.

PriorityP180medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.22%
64.8th percentile
includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress has multiple stored XSS issues.

Affected

1 ranges
VendorProductVersion rangeFixed in
mageewponetone<= 3.0.6

Detection & IOCsextracted from sources · hover to see the quote

path/includes/theme-functions.php
sigma
matchers: status_code == 200, contains(content_type, "text/html"), contains_all(body, "console.log({{string}})","top-bar-info")
  • Exploit payload injects console.log() JavaScript via stored XSS; successful exploitation is confirmed by the presence of 'console.log({{string}})' and 'top-bar-info' in the HTTP response body with status 200 and content-type text/html.
  • The import/settings endpoint can be used to deliver the XSS payload; a successful import returns 'Import successful.' in the response body.
  • The vulnerable code resides in includes/theme-functions.php of the OneTone WordPress theme (versions through 3.0.6); monitor for unexpected modifications or suspicious output from this file.
  • The XSS payload is stored via a theme option that controls the top bar; look for the 'display_top_bar':'yes' setting being set alongside injected script content.
  • ·The Nuclei template uses a two-step detection: first POST to import a crafted payload, then GET '/' to verify XSS reflection. Both steps must succeed (condition: and) for a true positive.
  • ·The {{string}} placeholder in the template is a dynamic value substituted at runtime by the scanner; the actual injected string will vary per scan execution.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.