CVE-2024-5870 is a stored cross-site scripting vulnerability in the arnoldgoodway Tweaker5 WordPress theme affecting all versions up to 1.2. The vulnerability exists because the 'url' parameter within the theme's Button shortcode does not properly sanitize or escape input, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary web scripts. These scripts execute in the context of users who access the injected pages, potentially leading to session hijacking or other script-based attacks. The vulnerability has a CVSS v3.1 score of 6.4, reflecting network attack vector, low attack complexity, required privileges at the contributor level, no user interaction, and impacts on confidentiality and integrity with no availability impact. No patch or official remediation has been provided as of the publication date.

An attacker with Contributor-level access or higher can exploit this vulnerability to inject malicious scripts that execute in other users' browsers when they view affected pages. This can lead to unauthorized actions such as session hijacking or data manipulation within the affected WordPress site. The impact is limited to confidentiality and integrity with no direct availability impact. Since the vulnerability requires authenticated access, the attack surface is somewhat limited but still significant in environments where contributors are trusted users.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should restrict Contributor-level access to trusted users only and consider disabling or removing the Tweaker5 theme if possible. Monitoring for unusual activity related to shortcode usage may help detect exploitation attempts. Avoid using the vulnerable 'url' parameter in the Button shortcode or sanitize inputs manually if feasible.