The DWT - Directory & Listing WordPress Theme is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NScriptsbundle Dwt Listing
APPScriptsbundle< 3.3.5
Related vulnerabilities
AdForest WordPress Theme — Authentication Bypass przez OTP (do v5.1.8)
AdForest dla WordPress — przejęcie konta i privilege escalation bez uwierzytelnienia
Podatność authentication bypass w motywie AdForest dla WordPress (≤ 5.1.6)
The AdForest theme for WordPress is vulnerable to unauthorized modification of data due to a missing capabilit...
The CarSpot theme before 2.1.7 for WordPress has stored XSS via the Phone Number field.