CVE-2022-2654 – Classima < 2.1.11 - Reflected Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2022-2654

The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store & Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting El tema Classima de WordPress versiones anteriores a 2.1.11 y algunos de sus plugins necesarios (Classified Listing versiones anteriores a 2.2.14, Classified Listing Pro versiones anteriores a 2.0.20, Classified Listing Store &amp; Membership versiones anteriores a 1.4.20 y Classima Core versiones anteriores a 1.10) no escapan un parámetro antes de devolverlo en atributos, conllevando a una taque de tipo Cross-Site Scripting Reflejado The Classima theme for WordPress is vulnerable to Reflected Cross-site Scripting in versions up to 2.1.11 due to insufficient input sanitization and output escaping on the 'q' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This also affects the Classified Listing plugin before 2.2.14, Classified Listing Pro plugin before 2.0.20, Classified Listing Store & Membership plugin before 1.4.20 and Classima Core plugin before 1.10 • https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •