CVE-2020-37235

Vulnerability

WordPress Theme Wibar version 1.1.8 contains a stored cross-site scripting (XSS) vulnerability in the Brand component. The ftc_brand_url input field, used for the Logo URL parameter, does not properly sanitize user input. Authenticated users with editor, administrator, contributor, or author privileges can inject malicious scripts that are stored and executed when other users visit the brand page [1][2].

Exploitation

An attacker must have valid WordPress credentials with editor, administrator, contributor, or author roles. After logging in, the attacker navigates to the Brands section, adds a new brand, and in the Logo URL field enters a payload such as ">. Upon publishing, the injected script is stored. When any user visits the vulnerable brand's page, the script executes in the context of their browser [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browsers of users who view the compromised brand page. This can lead to session hijacking, defacement, or theft of sensitive information. The attack is stored and persists until the malicious input is removed, affecting the confidentiality and integrity of the site for any visitor [1][2].

Mitigation

As of the available references, no official patch for Wibar 1.1.8 has been released. Users should consider upgrading to a newer version if available, or remove or restrict access to the Brand component for untrusted users. The theme may be end-of-life; consult the vendor for updates. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].