A Cross-Site Scripting vulnerability was found in the Doctors WordPress Theme. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure a logged on WordPress Administrator into opening a malicious website (or advertisement).
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE-20160725-0002
This issue was successfully tested on version 0.7 of the Doctors WordPress Theme.
There is currently no fix available.
Doctors is a Free Medical WordPress Theme. It is perfect for medical centers, dentists, doctors, GPs, vets, general practices, health care, ambulances, health & beauty, spa centers or even a hospital. A Cross-Site Scripting vulnerability was found in the Doctors WordPress Theme. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.
A Cross-Site Scripting vulnerability exists in the Doctors WordPress Theme. This issue exists due to the fact that the theme uses a parameter from a GET request without applying output encoding. Furthermore the affected code is not protected with an anti-Cross-Site Request Forgery token.
The vulnerable code in the doctors/core/contents/part_subHeader/skin1/html.php file is listed below:
echo $_GET['s'];
http://<target>/?s=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E
