CVE-2021-24342

Name of the Vulnerable Software and Affected Versions JNews WordPress theme versions prior to 8.0.6

Description The issue is related to a Reflected Cross-Site Scripting (XSS) problem. It occurs because the cat id parameter in the POST request to the / endpoint with ajax-request=jnews (and action=jnews build mega category *) is not properly sanitized. This lack of sanitization leads to the XSS issue.

Recommendations For versions prior to 8.0.6, update to version 8.0.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the / endpoint with ajax-request=jnews and action=jnews build mega category * to minimize the risk of exploitation. Avoid using the cat id parameter in the affected API endpoint until the issue is resolved.