CVE-2019-17230: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2019-17230) affects the OneTone WordPress theme through version 3.0.6. It was discovered in September 2019 and publicly disclosed on April 3, 2020. The vulnerability allows unauthenticated users to make unauthorized changes to theme options through the includes/theme-functions.php file (NVD, NinTechNet Blog).

The vulnerability stems from missing capability checks and security nonces in the theme's options import feature. This security flaw has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-79 (Cross-Site Scripting) (NVD, WPScan).

The vulnerability allows attackers to inject JavaScript code into all pages and posts of the affected website. This can affect both the public-facing pages and the WordPress backend where administrators manage the theme (NinTechNet Blog).

Since the theme is no longer maintained and no security patch is available, the recommended mitigation is to completely uninstall the OneTone theme. Users of NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium) are protected against this vulnerability (NinTechNet Blog).

The wordpress.org theme team was notified of the vulnerability on September 11, 2019, which led to the theme being permanently removed from the WordPress repository on October 10, 2019 (NinTechNet Blog).