WordPress Qreatix theme <= 1.9.4 - Cross Site Scripting (XSS) vulnerability

Vulnerability

The Qreatix WordPress theme versions up to and including 1.9.4 contain an unauthenticated Cross-Site Scripting (XSS) vulnerability [1]. The flaw allows injection of arbitrary scripts without requiring authentication, but successful exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link or page that, when interacted with by a privileged user, injects a script into the theme's output [1]. No authentication is needed to initiate the attack, but user interaction from a higher-privileged role is required for the script to be stored or executed [1]. The injected script then runs in the context of visitors' browsers when they access the affected site.

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript payloads, such as redirects, advertisements, or other malicious scripts [1]. This can lead to information disclosure, session hijacking, defacement, or further compromise of the website and its visitors. The CVSS score is 7.1, indicating moderate severity [1].

Mitigation

As of the publication date, no official patch has been released for Qreatix [1]. Patchstack has issued a mitigation rule to block attacks until an official fix is available and can be safely applied [1]. Users are advised to update the theme as soon as a patched version is released, or apply the mitigation rule from Patchstack. If unable to update, contact your hosting provider or web developer for assistance [1].