WordPress CSS Hero 4.0.3 Cross Site Scripting

WordPress CSS Hero plugin versions 4.0.3 and below suffer from a cross site scripting vulnerability.

MD5 | 67191f29a0b7bf239bf91ecbc08bb983


Document Title



Reflected XSS in CSS Hero (<= v.4.0.3) WordPress plugin.

Product Description


CSS Hero WordPress Plugin

A live WordPress Theme editor that works without modifying any of your
theme files. Very low performance footprint: only generates and adds a
single static CSS file to your site.

Homepage: https://www.csshero.org/

CSS Hero is vulnerable to a reflected XSS attack (authenticated).




1) Authenticate to the WordPress application with the CSS Hero plugin installed.

2) Navigate to the following vulnerable link:


3) JavaScript executes within the context of the browser. The
arbitrary parameter and value are reflected into the returned HTML.

Responsible Disclosure Information


Vendor Contacted: 11/17

Date Patched: 11/20

Patched Version: v.4.0.7

Public Disclosure: 12/2

Cary Hooper


Related Posts