Unrated severityNVD Advisory· Published Jul 21, 2024· Updated Apr 28, 2026No known patch

WordPress zBench theme <= 1.4.2 - Cross Site Scripting (XSS) vulnerability

No known patch is available for this vulnerability.

The affected theme has not been updated on WordPress.org since before this CVE was disclosed; the latest installable version is still vulnerable. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.

CVE-2024-37521

Description

Stored XSS in abandoned WordPress theme zBench up to 1.4.2 allows attackers to inject arbitrary scripts via unsanitized input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in abandoned WordPress theme zBench up to 1.4.2 allows attackers to inject arbitrary scripts via unsanitized input.

Vulnerability

The zBench WordPress theme (versions up to and including 1.4.2) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. The theme fails to sanitize or escape input before storing it, allowing malicious scripts to be saved and later executed in the context of an administrator's browser. The theme is no longer maintained; its last release on WordPress.org was on 2014-09-23 [1].

Exploitation

An attacker with contributor-level access or higher (i.e., any user who can submit content that is stored and displayed) can inject arbitrary JavaScript into fields that are not sanitized. The injected script is stored on the server and executed when an administrator views the affected page. No special network position is required beyond being an authenticated user with posting privileges.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information such as cookies and authentication tokens. The impact is limited to the WordPress admin interface where the stored content is rendered.

Mitigation

No fix has been released; the theme is considered abandoned. The only mitigation is to uninstall the zBench theme and replace it with an actively maintained alternative. Users should not rely on any future patch given the long maintenance gap [1].

References

[ABANDONED] zBench

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

zwwooooo/zBenchllm-create2 versions
<=1.4.2+ 1 more
- (no CPE)range: <=1.4.2
- (no CPE)range: n/a

Patches

Theme abandonedzBenchzbench

This theme appears unmaintained — its last release on WordPress.org predates this CVE's publication, so no fix has been shipped since the vulnerability was disclosed. The latest installable version is still vulnerable. Users should uninstall it or switch to an actively-maintained alternative.

Source: api.wordpress.org · directory page

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/vulnerability/zbench/wordpress-zbench-theme-1-4-2-cross-site-scripting-xss-vulnerabilitymitrevdb-entry

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000