Description

"Genericons are vector icons embedded in a webfont designed to be clean and simple keeping with a generic aesthetic."

The Genericons package includes a file called example.html which has been found to be vulnerable to a DOM-based XSS vulnerability. This package is included in various WordPress plugins and themes. For example is included in the TwentyFifteen theme (installed by default) and the very popular JetPack plugin.

Remediation

Remove the example.html file located in the genericons directory.

References

WordPress 4.2.2 Security and Maintenance Release

JetPack and TwentyFifteen Vulnerable to DOM-based XSS

Genericons

Related Vulnerabilities

WordPress Plugin Indeed Job Importer Cross-Site Scripting (1.0.5)

WordPress Plugin Portrait-Archiv.com Photostore Cross-Site Scripting (3.1)

WordPress Plugin Smart Forms-Calculated Fields, Form Builder, Easy To Use Cross-Site Scripting (2.6.15)

WordPress Plugin OpenID Connect Generic Client Cross-Site Scripting (3.8.1)

WordPress Plugin Relevanssi-A Better Search Cross-Site Scripting (3.3.7.1)

Severity

High

Classification

CWE-80 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

XSS