CVE-2024-33540 is a stored cross-site scripting vulnerability (CWE-79) in the ThemeGrill ColorNews WordPress theme versions up to 1.2.6. It results from improper input neutralization during web page generation, enabling attackers with low privileges to inject persistent malicious scripts that execute when other users view the affected content. The vulnerability has a CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L), indicating network attack vector, low attack complexity, low privileges required, user interaction needed, scope changed, and impacts on confidentiality, integrity, and availability. No patch or official remediation level has been disclosed by the vendor as of the published date.

Successful exploitation of this vulnerability could allow an attacker with low privileges to inject malicious scripts that execute in the context of other users, potentially leading to information disclosure, modification of data, or disruption of service. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. However, exploitation requires user interaction and low privileges, which somewhat limits the attack surface. No known active exploits have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should limit privileges of users who can submit content to the theme and consider applying temporary mitigations such as input sanitization or disabling vulnerable features if feasible. Monitor ThemeGrill's official channels for updates.