CVE-2022-2627

Name of the Vulnerable Software and Affected Versions The Newspaper WordPress theme versions prior to 12

Description The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitized before being outputted back in an HTML attribute via an AJAX action. This can be exploited, and there are reports of it being used in real-world incidents, including a combination of POST-based XSS and CSRF, with an additional information disclosure of the absolute path of the web server.

Recommendations For versions prior to 12, update to version 12 or later to resolve the issue. As a temporary workaround, consider restricting access to the AJAX action that outputs the unsanitized parameter to minimize the risk of exploitation.