Unauthenticated stored XSS vulnerability in WordPress OneTone theme (unpatched).

This theme is not maintained anymore and the vulnerability has never been fixed. Make sure to follow the recommendations below.

The WordPress OneTone theme, which has 20,000+ active installations, is prone to an unauthenticated settings import vulnerability that could lead to multiple stored XSS in version 3.0.6 and below.


CVE-2019-17230, CVE-2019-17231

Unauthenticated options import and stored XSS

Due to missing capability checks and security nonces, an unauthenticated attacker can use the theme options import feature to inject JavaScript code into all pages and posts of the website:

The same code could also be used to target logged-in administrators when they edit the theme in the WordPress back-end:

Several additional security issues exist in that theme but we won’t provide more details.


The issue was reported to the wordpress.org theme team on September 11, 2019 and the theme was permanently removed from the repo in October 10, 2019.


We recommend to uninstall this theme as there isn’t any security patch available. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet