WordPress Theme OneTone: Unauthenticated Stored Cross-Site Scripting (XSS)
Description
The OneTone WordPress theme versions 3.0.6 and earlier contain an unauthenticated stored Cross-Site Scripting (XSS) vulnerability. This flaw allows remote attackers to inject malicious JavaScript code into the website without requiring authentication. Once stored, the malicious script executes in the browsers of users who view the affected pages, including administrators.
Remediation
Immediately remove the OneTone theme from your WordPress installation as no patch is available for this vulnerability. Follow these steps:<br/><br/>1. Log into your WordPress admin dashboard<br/>2. Navigate to Appearance > Themes<br/>3. Activate a different, secure theme (preferably from the official WordPress repository)<br/>4. Delete the OneTone theme completely<br/>5. Review your website content and database for any injected malicious scripts, particularly in user-submitted content areas<br/>6. Check administrator and user session cookies for signs of compromise<br/>7. Consider implementing a Web Application Firewall (WAF) to provide additional protection against XSS attacks<br/><br/>If you require similar functionality, select an actively maintained alternative theme from reputable sources with regular security updates.