CVE-2024-47313 identifies a stored Cross-site Scripting (XSS) vulnerability in the Catch Base WordPress theme developed by catchthemes, affecting all versions up to and including 3.4.6. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be stored persistently within the website's content. When a victim visits a compromised page, the injected script executes within their browser context, potentially enabling attackers to hijack user sessions, steal cookies, perform actions on behalf of the user, or deliver malware. Stored XSS is particularly dangerous because the malicious payload is saved on the server and served to multiple users, increasing the attack surface. The vulnerability does not require authentication, meaning any unauthenticated attacker can exploit it by submitting crafted input that is later rendered without proper sanitization. Although no public exploits or patches are currently available, the vulnerability is publicly disclosed and assigned CVE-2024-47313. The affected product, Catch Base, is a WordPress theme used to design websites, implying that any WordPress site using this theme is potentially vulnerable. The lack of a CVSS score necessitates an assessment based on impact and exploitability factors. The vulnerability impacts confidentiality and integrity by enabling unauthorized script execution and potentially compromising user data. The scope includes all websites running the vulnerable theme version. The absence of required authentication and user interaction lowers the barrier for exploitation. This vulnerability is a significant risk for website operators and their users, especially in environments where sensitive data or user credentials are handled.

The primary impact of CVE-2024-47313 is the compromise of user confidentiality and integrity through the execution of arbitrary scripts in the context of affected websites. Attackers can leverage this vulnerability to steal session cookies, enabling account takeover, deface websites, or redirect users to malicious sites distributing malware or phishing content. For organizations, this can lead to reputational damage, loss of customer trust, regulatory penalties if personal data is exposed, and potential financial losses. Since the vulnerability is stored XSS, it can affect all visitors to the compromised site, amplifying the reach of the attack. Additionally, attackers might use the vulnerability as a foothold to escalate attacks or pivot to other internal systems if administrative users are targeted. The absence of authentication requirements makes it easier for attackers to exploit, increasing the likelihood of widespread abuse. Organizations relying on the Catch Base theme for public-facing websites, especially those handling sensitive user information or e-commerce transactions, face heightened risk. The lack of an official patch at the time of disclosure means the window of exposure remains open until mitigations are applied.

Organizations should immediately audit their WordPress installations to identify if the Catch Base theme version 3.4.6 or earlier is in use. Until an official patch is released, administrators should consider temporarily disabling or replacing the vulnerable theme to eliminate exposure. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads can reduce the risk of exploitation. Input validation and output encoding should be enforced on all user-generated content fields to prevent malicious script injection. Site administrators should review and sanitize existing content for injected scripts to remove any persistent malicious code. Regular backups should be maintained to enable restoration in case of compromise. Monitoring website logs for unusual input patterns or access attempts can help detect exploitation attempts early. Once a patch or update is available from catchthemes, it should be applied promptly. Additionally, educating content contributors about safe input practices and limiting permissions to trusted users can reduce the risk of malicious content insertion.