CVE-2024-34376

Vulnerability

The Theme Freesia Edge WordPress theme, versions from n/a through 2.0.9, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. The issue stems from insufficient sanitization of input fields, allowing malicious scripts to be stored and later executed when other users view the affected pages.

Exploitation

An attacker with contributor-level access or higher can inject malicious JavaScript code into input fields that are not properly sanitized. The injected script becomes stored in the application's data and is subsequently rendered on pages viewed by other users, including administrators. No special network position is required beyond normal authenticated access to the WordPress admin interface.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of a victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The attacker does not gain direct server-level access but can compromise the security of other users interacting with the affected theme.

Mitigation

Users should update the Edge theme to version 2.1.2 or later, as this update addresses the vulnerability [1]. If immediate update is not possible, consider restricting contributor and author roles or disabling user registration. As of the publication date, no known workarounds are documented beyond patching.