The issue appears when pagination comes in place while navigating on a WordPress site with Enfold theme active. When that occurs, the parameter โ€œavia-element-pagingโ€ appears.


It is possible for an attacker to add some input text in the URL that is reflected on the response. Therefore, there is a XSS vulnerability that can be exploited crafting a customized URL which includes a link to a paginated entry:


"ProofOfConcept" text will be reflected on the server's response. It will be included on generated page buttons.

The attacker can exploit this issue by sending the following payload:


which can be decoded as:


and the Base64 payload decoded as: