CVE-2024-5613 is a reflected Cross-Site Scripting vulnerability identified in the Formula WordPress theme developed by awordpresslife. The vulnerability arises from improper neutralization of user-supplied input in the 'id' parameter within the 'quality_customizer_notify_dismiss_action' AJAX action. Specifically, the theme fails to adequately sanitize and escape this parameter before reflecting it in the web page output, enabling attackers to inject malicious JavaScript code. Because this is a reflected XSS, the attack requires an attacker to craft a malicious URL containing the payload and convince a user to click it. The vulnerability affects all versions up to and including 0.5.1 of the Formula theme. The CVSS 3.1 base score is 6.1, reflecting a network attack vector with low attack complexity, no privileges required, but requiring user interaction. The scope is changed (S:C) because the vulnerability can affect resources beyond the vulnerable component, such as user sessions or other site content. The impact on confidentiality and integrity is low, with no availability impact. No patches or exploit code are currently publicly available, and no active exploitation has been reported. The vulnerability is categorized under CWE-79, which is a common web application security issue related to improper input validation and output encoding.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary JavaScript in the context of the affected website. This can lead to session hijacking, theft of cookies or credentials, defacement, or redirection to malicious sites. While the confidentiality and integrity impacts are considered low, the ability to execute scripts can facilitate further attacks such as phishing or spreading malware. Since the vulnerability is exploitable without authentication but requires user interaction, the risk depends on the attacker’s ability to lure users into clicking malicious links. Organizations running websites with the Formula theme are at risk of reputational damage, user trust erosion, and potential data leakage. The lack of availability impact means the site’s uptime is not directly threatened. However, successful exploitation could indirectly affect availability if attackers use the vulnerability as a foothold for more severe attacks.

Organizations should immediately upgrade the Formula WordPress theme to a version that addresses this vulnerability once released by the vendor. In the absence of an official patch, site administrators can implement strict input validation and output encoding on the 'id' parameter in the AJAX action to neutralize malicious scripts. Employing a Web Application Firewall (WAF) with rules to detect and block reflected XSS payloads targeting this parameter can provide temporary protection. Additionally, enabling Content Security Policy (CSP) headers can restrict the execution of unauthorized scripts. Site owners should educate users about the risks of clicking suspicious links and monitor web server logs for unusual requests to the vulnerable AJAX endpoint. Regular security audits and scanning for XSS vulnerabilities in themes and plugins are recommended to prevent similar issues.