CVE-2022-2167 - Reflected XSS Vulnerability in Newspaper WordPress Theme (< v12) – Deep Dive & Exploit Example

If you are running a WordPress site with the popular Newspaper theme and haven’t updated to version 12, you may be at risk! This post breaks down CVE-2022-2167, a serious Reflected Cross-Site Scripting (XSS) vulnerability in the theme, showing you—simply and safely—how it works, why it matters, and how to stay secure.

What is CVE-2022-2167?

Discovered in June 2022, this vulnerability affects Newspaper WordPress Theme versions before 12. An AJAX action fails to properly sanitize a parameter before putting it in an HTML attribute. This lets attackers inject malicious JavaScript into the page—which could then run in the victim’s browser if the victim visits a specially crafted link.

The Cause

In Newspaper’s code, an AJAX handler receives a parameter (for example, via $_POST or $_GET). Instead of cleaning (sanitizing) this variable, the code puts it right inside an HTML attribute in the AJAX response.

Here’s an illustrative (not full) code snippet based on the public Wordfence write-up and WPScan entry:

// Bad example: Unvalidated input used directly in output
add_action('wp_ajax_my_action', function() {
    $name = $_POST['name']; // ← not sanitized!
    echo '<div data-name="' . $name . '">Hello!</div>';
    die();
});

If an attacker sends the name parameter with malicious JavaScript, it ends up right inside the HTML’s data-name attribute.

The attacker creates a link that uses AJAX to send a payload, like

https://example.com/wp-admin/admin-ajax.php?action=my_action&name="; onmouseover="alert('XSS')

2. Victim Clicks the Link

When a user, like a site admin, clicks the link, the AJAX action is called with the injected payload.

The server responds with

<div data-name="" onmouseover="alert('XSS')">Hello!</div>

Now, hovering over this element will run the attacker’s code!

Working Exploit (Proof-of-Concept)

For many cases, this is done by tricking a user to open a link. Here’s a step-by-step proof-of-concept (in a safe way):

`

https://yoursite.com/wp-admin/admin-ajax.php?action=my_action&name="onmouseover="alert(document.domain)

`html

Hello!

How to Fix

The publisher fixed this in version 12. If you use the Newspaper theme below v12, update ASAP!

A corrected version using WordPress’s esc_attr() function for sanitizing

add_action('wp_ajax_my_action', function() {
    $name = $_POST['name'];
    $safe_name = esc_attr($name); // sanitize!
    echo '<div data-name="' . $safe_name . '">Hello!</div>';
    die();
});

Now, even if someone tries to inject JavaScript, it’s escaped and harmless.

Additional Protection

- Use a Web Application Firewall

References

- Wordfence Disclosure
- WPScan CVE-2022-2167
- Envato / Newspaper theme page

TL;DR

CVE-2022-2167 is a reflected XSS in the Newspaper WordPress theme before v12. It allows attackers to inject and run malicious JS because input wasn’t sanitized before being output in an HTML attribute via AJAX. Patch now! Always escape user input.

Timeline

Published on: 10/31/2022 16:15:00 UTC
Last modified on: 11/01/2022 14:04:00 UTC