Today we're disclosing a cross-site scripting (XSS) vulnerability discovered in the "Design Comuni Italia" WordPress theme. This unauthenticated stored XSS vulnerability could potentially allow attackers to execute malicious JavaScript when administrators review user-submitted ratings. The vulnerability has been assigned CVE-2025-1798 with a CVSS score of 8.8 (High).
This vulnerability affects Design Comuni Italia theme versions below 1.11.2.
Vulnerability Overview
The vulnerable component is the ratings functionality present in many pages:
The POST parameters affected by this vulnerability are radioResponse and freeText:
An XSS payload inserted into either of these two parameters will be executed as soon as an authenticated user (typically an administrator) views the ratings via the WordPress dashboard at:
Proof of Concept
PoC for the radioResponse parameter:
PoC for the freeText parameter:
Technical Analysis
The vulnerability occurs because user input from the radioResponse and freeText parameters are stored in the database without proper sanitization and then rendered in the WordPress admin dashboard without escaping HTML special characters. By default Wordpress uses the httponly flag for authentication cookies, significantly reducing the impact of this vulnerability, but since this theme is widely used by municipalities in Italy, some of which integrate multiple services, an attacker might still be able to steal authentication cookies for other services running on the same website.
Remediation
Update to version 1.11.2 or newer.
Conclusion
Our team responsibly disclosed this vulnerability to Developers Italia on January 21, 2025, and they promptly addressed it in a security release. We thank their team for the very fast response and resolution :) If for some reason you want to contact me, or just want to chat, DM me on X @0xDeco or send an e-mail