CVE-2025-0169 - Stored XSS Vulnerability in DWT - Directory & Listing WordPress Theme Versions up to 3.3.4

Security researchers recently discovered a vulnerability in the DWT - Directory & Listing WordPress Theme, which can lead to a Stored Cross-Site Scripting (XSS) attack. In this long-read post, we will explore the details of this vulnerability, the attack vector, and how one can prevent potential exploits.

The Vulnerability (CVE-2025-0169)

The DWT - Directory & Listing WordPress Theme is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to and including 3.3.4. The cause of this vulnerability is insufficient input sanitization and output escaping on user-supplied attributes. As a result, attackers with contributor level and above permissions can inject arbitrary web scripts into pages that are executed whenever a user accesses an injected page.

Technical Details

The vulnerability lies in the improper handling of shortcode attributes. The DWT theme uses several custom shortcodes that allow users to create custom post types, such as directory listings, with various visual and functional aspects. To exploit this vulnerability, an attacker can inject malicious JavaScript code using the vulnerable shortcode attributes. When other users visit the affected page, the code will execute within their browsers, leading to a potential Stored XSS attack.

The following example demonstrates a simple attack scenario using the [dwt_listing_slider] shortcode:

[dwt_listing_slider btn_text="<script>alert('XSS');</script>" ]

In this case, the btn_text attribute is not properly sanitized or escaped. Hence, when a user visits the page containing this shortcode, the alert('XSS') JavaScript code will be executed within their browser.

Original References

[1] DWT Documentation on Shortcodes: DWT Shortcodes Documentation
[2] WordPress.org DWT Theme Page: DWT - Directory & Listing WordPress Theme

Exploit Details

The exploit can be carried out by an authenticated attacker with contributor-level or higher privileges. To exploit the vulnerability, the attacker creates a new post or edits an existing one and injects malicious JavaScript code within the vulnerable shortcode attribute value. Once the post is saved and published, any user who visits this page will be affected by the Stored XSS attack.

How to Prevent The Exploit

It is recommended that users of the DWT - Directory & Listing WordPress Theme update their themes to the latest version to fix the vulnerability. However, if you are using an outdated version or cannot update immediately, consider implementing input sanitization and output escaping for shortcode attributes to minimize the risk of Stored XSS attacks.

Conclusion

The Stored Cross-Site Scripting vulnerability in the DWT - Directory & Listing WordPress Theme poses a significant security threat for websites using this theme. To keep your site and its users safe, it is essential to update the theme to the latest version and ensure that appropriate security measures, such as input sanitization and output escaping, are in place. In addition, it is recommended to grant contributor-level permissions only to trusted users to avoid exploitation of potential vulnerabilities.

Timeline

Published on: 02/08/2025 23:15:08 UTC
Last modified on: 02/11/2025 18:15:24 UTC