/*! - # VULNERABILITY: Car Repair Services WordPress Theme v3.9 - Unauthenticated Reflected XSS & XFS - # GOOGLE DORK: inurl:/wp-content/themes/car-repair-services/ - # DATE: 2021-02-12 - # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ] - # VENDOR: SmartDataSoft [ https://smartdatasoft.com ] - # SOFTWARE VERSION: <= 3.9 - # SOFTWARE LINK: https://themeforest.net/item/car-repair-services-auto-mechanic-wordpress-theme/19823557 - # CVSS: AV:N/AC:L/PR:N/UI:N/S:C - # CWE: CWE-79 - # CVE: CVE-2021-24335 */ ### -- [ Info: ] [i] An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the Car Repair Services theme through v3.9 for WordPress. [i] Vulnerable parameter(s): &serviceestimatekey=. [i] Plugin(s) affected: Auto Repair Search by SmartDataSoft [ https://smartdatasoft.com ]. ### -- [ Impact: ] [~] Malicious JavaScript code or iFrame injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource. ### -- [ Payloads: ] [$] [$]