WordPress Ambience Theme <=1.0 - Cross-Site Scripting

What is the "WordPress Ambience Theme <=1.0 - Cross-Site Scripting" module?

The "WordPress Ambience Theme <=1.0 - Cross-Site Scripting" module is a test case designed to detect a cross-site scripting vulnerability in the WordPress Ambience Theme version 1.0 and earlier. This vulnerability has a medium severity level.

Impact

A successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users of the WordPress Ambience Theme. This can lead to various consequences, such as unauthorized access to sensitive information, session hijacking, or the spread of malware.

How the module works?

The module sends an HTTP GET request to the "/wp-content/themes/ambience/thumb.php?src=%3Cbody%20onload%3Dalert(1)%3E.jpg" path of the target WordPress website. It then applies several matching conditions to determine if the vulnerability exists:

- The response body must contain the code "<body onload=alert(1)>". - The response header must include the content type "text/html". - The HTTP status code must be 200.

If all of these conditions are met, the module reports the presence of the cross-site scripting vulnerability in the WordPress Ambience Theme.

For more information about this module, please refer to the original author's documentation.