Stored XSS in Salutation Responsive WordPress + BuddyPress Theme could allow logged-in users to do almost anything an admin can


Last revised:

The theme contains JavaScript (assets/js/onLoad.js) which iterates through .section-tabs a and puts every href value it finds into jQuery(). jQuery() doesn’t just search for elements which match a selector (i.e. jQuery('.section-tabs')), it also creates elements (i.e. jQuery('<div>')).


// ...

$.fn.simpleSlideTop = function(opts) {

    // ...

    contentID = $(this).attr('href');


An attacker without the unfiltered_html capability would be able to inject arbitrary HTML as if they had the unfiltered_html capability. With the ability to inject arbitrary HTML, the attacker is able add JavaScript which causes a logged-in administrator user to do almost anything – including creating new user accounts, deleting posts, and more.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 4.9 Medium
Vector Network
Complexity Medium
Authentication Single
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  1. Click the activate button on the theme
  2. Install and activate Revolution Slider plugin
  3. Create a new user with role of Author (by default, Authors do not possess the unfiltered_html capability)
  4. Log in as that user
  5. Visit “Add New Post” screen
  6. Switch the editor to “Text” mode
  7. Enter the following: <div class="section-tabs"><a href="&lt;img src=x onerror=alert(1)&gt;">a</a></div>
  8. Press “Publish”
  9. Press “View post”
  10. You will see an alertbox appear showing the value “1”

For comparison, if the same user account enters <img src=x onerror=alert(1)> or <script>alert(1)</script>, it will be blocked by WordPress.

Advisory timeline

  • 2017-04-26: Discovered
  • 2017-07-25: Reported via contact form on
  • 2017-07-25: Vendor reported issue fixed in 3.0.16
  • 2017-07-31: Advisory published
  • 2017-07-31: Requested CVE
  • 2017-08-23: Received CVE

Mitigation/further actions

Upgrade to version 3.0.16 or later.