Xu Yiyang WordPress Multiple Themes S Parameter Cross-Site Scripting Vulnerability

Bugtraq ID:	25215
Class:	Input Validation Error
CVE:	CVE-2007-4165
Remote:	Yes
Local:	No
Published:	Aug 06 2007 12:00AM
Updated:	May 07 2015 05:36PM
Credit:	phoenix is credited with reporting this issue.
Vulnerable:	Xu Yiyang Unnamed Special Edition 1.02 Xu Yiyang Unnamed 1.0.0.2 Xu Yiyang Blue Memories 1.5
Not Vulnerable:	Xu Yiyang Unnamed Special Edition 1.03 Xu Yiyang Blue Memories 1.5.0.1

Xu Yiyang WordPress Multiple Themes S Parameter Cross-Site Scripting Vulnerability

Multiple themes for WordPress are prone to a cross-site scripting vulnerability because they fail to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

These themes for WordPress are reported vulnerable:

Unnamed 1.0.0.2
Unnamed 1.02 Special Edition
Blue Memories 1.5.0

This issue is related to the issue described in BID 24954 (WordPress Multiple Themes S Parameter Cross-Site Scripting Vulnerability).

Xu Yiyang WordPress Multiple Themes S Parameter Cross-Site Scripting Vulnerability

An attacker may exploit this issue by enticing an unsuspecting user to follow a malicious URI.

Xu Yiyang WordPress Multiple Themes S Parameter Cross-Site Scripting Vulnerability

Solution:
The vendor released updates to address this issue. Please see the references for more information.


Xu Yiyang Unnamed Special Edition 1.02

• Xu Yiyang unnamed_se_1_03.zip
  http://xuyiyang.com/download-manager.php?id=5

Xu Yiyang Blue Memories 1.5

• Xu Yiyang bluememories_1_501.zip
  http://xuyiyang.com/download-manager.php?id=2

Xu Yiyang WordPress Multiple Themes S Parameter Cross-Site Scripting Vulnerability

References:

• WordPress Blue Memories Theme Home Page (Xu Yiyang)
  
• WordPress Unnamed Theme Home Page (Xu Yiyang)