CVE-2024-5451 is a stored Cross-Site Scripting vulnerability identified in The7 — Website and eCommerce Builder for WordPress theme, versions up to and including 11.13.0. The flaw exists due to insufficient input sanitization and output escaping of the 'url' attribute within the theme's Icon and Heading widgets. Specifically, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages by manipulating this attribute. Because the vulnerability is stored, the malicious script persists in the website's content and executes in the browsers of any users who visit the infected pages. This can lead to theft of sensitive information such as authentication cookies, defacement, or redirection to malicious sites. The vulnerability requires no user interaction beyond visiting the compromised page but does require authenticated access, limiting exploitation to users with some level of trust on the site. The CVSS 3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required. No public exploits have been reported yet, but the widespread use of The7 theme in WordPress sites, including eCommerce platforms, increases the risk profile. The vulnerability highlights the importance of proper input validation and output encoding in web application components that handle user-supplied data.

This vulnerability can have significant impacts on organizations running WordPress sites with The7 theme, particularly those with contributor-level users such as content creators or editors. Exploitation can lead to unauthorized script execution in site visitors' browsers, resulting in session hijacking, credential theft, unauthorized actions performed on behalf of users, or site defacement. For eCommerce sites, this could lead to theft of customer data or disruption of business operations. The requirement for authenticated access reduces the risk from external anonymous attackers but elevates the threat from insider threats or compromised accounts. The stored nature of the XSS means the malicious payload persists and affects all users accessing the infected pages, potentially amplifying the attack's reach. Organizations may face reputational damage, loss of customer trust, and regulatory consequences if sensitive data is compromised. The lack of a patch at the time of disclosure necessitates immediate mitigation to prevent exploitation.

1. Immediately restrict contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious input. 2. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting the 'url' attribute in The7 theme widgets. 3. Regularly audit and sanitize existing content in Icon and Heading widgets to remove any injected scripts. 4. Monitor user activity logs for unusual behavior from contributor-level users. 5. Apply strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 6. Stay updated with Dream-Theme vendor announcements and apply official patches or updates as soon as they become available. 7. Consider temporarily disabling or replacing the vulnerable widgets if feasible until a patch is released. 8. Educate site administrators and content creators about the risks of injecting untrusted content and safe content management practices.