CVE-2024-4158 is a stored cross-site scripting (XSS) vulnerability identified in the Blocksy WordPress theme developed by creativethemeshq, affecting all versions up to and including 2.0.42. The root cause is insufficient input sanitization and output escaping of the 'tagName' parameter during web page generation, which allows an authenticated attacker with contributor-level or higher permissions to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executes in the context of any user who accesses the compromised page, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (PR:L) but no user interaction (UI:N), and a scope change (S:C) indicating that the vulnerability affects resources beyond the initially vulnerable component. No public exploits are currently known. The vulnerability is significant because WordPress powers a large portion of the web, and Blocksy is a popular theme, often used on sites with multiple contributors, increasing the risk surface. The CWE-79 classification confirms this is an XSS issue, a common and impactful web vulnerability. The vulnerability was reserved on April 25, 2024, and published on May 9, 2024.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject persistent malicious scripts into web pages, which execute in the browsers of any visitors or administrators viewing those pages. This can lead to theft of session cookies, user credentials, or other sensitive information, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since the vulnerability requires authentication at contributor level or above, it limits exploitation to insiders or compromised accounts but does not require user interaction beyond page viewing. The scope change means the attacker can affect resources beyond their own permissions, potentially escalating the impact. Organizations using the Blocksy theme on WordPress sites with multiple contributors or editors are at risk, especially those with sensitive user data or administrative users who frequently access content pages. The vulnerability could undermine trust, lead to data breaches, and cause reputational damage. Although no known exploits exist yet, the medium severity and ease of exploitation by authenticated users make timely mitigation critical.

1. Immediately restrict contributor-level permissions to trusted users only and audit existing contributor accounts for suspicious activity. 2. Monitor and review all user-generated content, especially inputs related to the 'tagName' parameter or similar fields, for suspicious scripts or HTML. 3. Apply strict input validation and output encoding on the server side to sanitize all user inputs, particularly in the theme’s code handling 'tagName'. 4. Update the Blocksy theme to a patched version as soon as it becomes available from the vendor. 5. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting WordPress themes. 6. Educate content contributors about the risks of injecting scripts and enforce content submission policies. 7. Regularly scan the website for injected scripts or anomalies using security plugins or external scanning services. 8. Consider disabling or limiting the use of the vulnerable feature until a patch is applied if feasible. 9. Employ Content Security Policy (CSP) headers to reduce the impact of any injected scripts by restricting script sources.