Description
Multiple vulnerabilities was discovered in the «CarSpot – Dealership WordPress Classified Theme», tested version — v2.2.0: - Authenticated Persistent XSS -> Registration Form/User Profile - Authenticated Persistent XSS -> Ad Post - IDOR leading to arbitrary deletion of ads Edit (WPScanTeam): January 17th, 2020 - Report Received & Envato Contacted January 17th, 2020 - Envato Investigating January 23rd, 2020 - v2.2.1 released, but issues still present in the demo. January 24th, 2020 - Envato Contacted again. January 27th, 2020 - Demo updated to 2.2.1 fixing the issue for new posts/ads but data from previous ones is still not encoded/escaped when output.