Blog: Vulnerability Advisory
DOM XSS in iThemes Security Pro
‘<div id=”itsec-meta-link-wrap” class=”hide-if-no-js screen-meta-toggle”>’ +
‘<a href=”‘ + document.location + ‘&show_admin_modal=true” class=”show-settings”>’ + itsec_dashboard.text + ‘</a>’ +
It should be noted that the URL would have to be passed in a “raw” state without URL encoding.
It would be hard to find a vector to exploit this, as, from the context of the script it should be a backend security dashboard, meaning that it has a limited exposure.
2. CVSS Score
As the code is behind a backend system, and not obviously accessible then other vectors such as CSRF may be needed to exploit this.
The CVSSv2 base score is 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N)
The CVSSv3 base score is 3.3 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N)
The iThemes Security team have been very responsive to the vulnerability alert and have issued a patch that validates this string.
Ensure that any installations of iThemes Security Pro have been updated to after release 2.29 for the pro version and 5.3.5 for the free version (29th March 2016)
4. Vulnerability Timeline
20/03/2016 Vulnerability discovery
21/03/2016 iThemes security team notified
29/03/2016 Patch released
01/04/2016 Advisory released