WordPress Enfold theme <= 7.1.4 - Reflected Cross Site Scripting (XSS) vulnerability

Vulnerability

The Enfold WordPress theme versions up to and including 7.1.4 contain a reflected cross-site scripting (XSS) vulnerability. The issue is unauthenticated, meaning no prior authentication is required to trigger the vulnerable code path. The vulnerability exists in the theme's handling of certain input parameters, which are not properly sanitized before being reflected in the response. Affected versions: Enfold <= 7.1.4. [1]

Exploitation

An attacker can craft a malicious URL containing a payload and trick a privileged user (e.g., an administrator) into clicking it. User interaction is required; the victim must click the link or visit a crafted page. The attacker does not need any authentication or special network position. The payload is reflected and executed in the context of the victim's browser session. [1]

Impact

Successful exploitation allows the attacker to inject arbitrary HTML and JavaScript into the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or other actions performed in the context of the logged-in user. The impact is limited to the browser session of the victim user. [1]

Mitigation

The vulnerability is fixed in version 7.1.5. Users should update to 7.1.5 or later immediately. If unable to update, Patchstack provides a mitigation rule to block attacks until the update is applied. No other workarounds are mentioned. [1]