CVE-2017-18634
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts via the td_ads[header] parameter in the Newspaper theme for WordPress. Attackers can execute arbitrary JavaScript in the context of the affected website, potentially compromising user sessions and site integrity. WordPress sites using Newspaper theme versions before 6.7.2 are affected.
💻 Affected Systems
- Newspaper WordPress Theme
📦 What is this software?
Newspaper by Tagdiv
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover through session hijacking, credential theft, malware distribution to visitors, and persistent backdoor installation.
Likely Case
Unauthorized ad injection, SEO spam, redirects to malicious sites, and potential credential harvesting from site visitors.
If Mitigated
Limited impact with proper input validation and output encoding, though script injection could still occur if the vulnerability is exploited.
🎯 Exploit Status
Exploitation is straightforward via POST requests to admin-ajax.php with malicious td_ads[header] parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.7.2 and later
Vendor Advisory: https://themeforest.net/item/newspaper/5489609
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Appearance > Themes
3. Check if Newspaper theme is active
4. Update to version 6.7.2 or later
5. Clear any caching plugins/CDN caches
🔧 Temporary Workarounds
Disable vulnerable endpoint
allTemporarily block access to admin-ajax.php for unauthenticated users
# Add to .htaccess for Apache:
<Files "admin-ajax.php">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
# Add to nginx config:
location ~* /wp-admin/admin-ajax.php {
allow 127.0.0.1;
deny all;
}
Input validation filter
allAdd custom filter to sanitize td_ads parameters
# Add to theme's functions.php:
add_filter('pre_update_option_td_ads', function($value) {
if (isset($value['header'])) {
$value['header'] = wp_kses_post($value['header']);
}
return $value;
});
🧯 If You Can't Patch
- Switch to a different WordPress theme temporarily
- Implement WAF rules to block requests containing malicious script patterns in td_ads[header] parameter
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Appearance > Themes > Newspaper theme version. If version is below 6.7.2, you are vulnerable.Check Version:
wp theme list --field=name,version | grep newspaperVerify Fix Applied:
After updating, verify theme version shows 6.7.2 or higher. Test by attempting to inject script via td_ads[header] parameter - it should be sanitized.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with td_ads[header] parameter containing script tags or JavaScript
- Unusual admin-ajax.php requests from unexpected IPs
Network Indicators:
- HTTP POST to admin-ajax.php with malicious payloads in td_ads[header]
- Unexpected JavaScript loading from your domain
SIEM Query:
source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND (http_method="POST" AND request_body MATCHES "td_ads.*header.*<script")