The Triton Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute within the theme's Button shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 26 Sep 2024 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Towfiqi
Towfiqi triton Lite
CPEs cpe:2.3:a:towfiqi:triton_lite:*:*:*:*:*:wordpress:*:*
Vendors & Products Towfiqi
Towfiqi triton Lite

Fri, 13 Sep 2024 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 13 Sep 2024 15:15:00 +0000

Type Values Removed Values Added
Description The Triton Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute within the theme's Button shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Triton Lite <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-09-13T15:10:37.165Z

Updated: 2024-09-13T15:34:27.168Z

Reserved: 2024-06-10T11:02:26.777Z

Link: CVE-2024-5789

cve-icon Vulnrichment

Updated: 2024-09-13T15:34:20.544Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-13T15:15:15.137

Modified: 2024-09-26T20:28:29.237

Link: CVE-2024-5789

cve-icon Redhat

No data.