CVE-2016-10994
Description
The Truemag theme 2016 Q2 for WordPress has XSS via the s parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The AI Insight narrative is available to signed-in members. Sign in or create a free account to read it.
Affected products
2- WordPress/Truemag themedescription
Patches
Discovered fix commits and diffs is available to signed-in members. Sign in or create a free account to read it.
Vulnerability mechanics
Root cause
"Missing output encoding of the `s` GET parameter in the Truemag theme's search results page allows reflected cross-site scripting."
Attack vector
An attacker crafts a URL containing a malicious payload in the `s` parameter, such as `"><script>...</script>`, and tricks a logged-in user into clicking it [ref_id=1]. The request is sent via GET to the vulnerable theme module at `/wp-contact/theme/truemag` [ref_id=1]. No authentication is required to trigger the vulnerability, and the injected script executes in the victim's browser session, enabling session hijacking or phishing [ref_id=1].
Affected code
The vulnerable parameter is `s` in the GET request to the Truemag theme's page module [ref_id=1]. The advisory identifies the vulnerable service as the Truemag Theme (WordPress) version 2016 Q2, with the vulnerable module path `/wp-contact/theme/truemag` [ref_id=1]. No specific source file or function name is provided in the advisory.
What the fix does
The advisory recommends that the vulnerable `s` value be securely parsed and encoded before being rendered in the page, and that input restrictions be applied to prevent script code injection [ref_id=1]. No patch diff is available in the bundle, so the specific code changes are unknown. The fix would involve properly escaping the `s` parameter output using WordPress's built-in escaping functions such as `esc_html()` or `esc_attr()`.
Preconditions
- networkAttacker must be able to deliver a crafted URL to the victim (e.g., via email, link, or social engineering).
- inputThe `s` GET parameter is reflected in the response without sanitization or encoding.
Reproduction
Visit `http://wp.localhost:8080/?s="><script>alert(1)</script>` (or any similar XSS payload) in a browser. The injected script executes in the context of the vulnerable Truemag theme page [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- wpvulndb.com/vulnerabilities/8478mitrex_refsource_MISC
- www.vulnerability-lab.com/get_content.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.