CVE-2023-29430: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in CTHthemes TheRoof WordPress theme versions 1.0.3 and below. The vulnerability was reported on January 31, 2023, and publicly disclosed on April 6, 2023. This security issue affects websites using the vulnerable versions of TheRoof theme (Patchstack).

The vulnerability stems from improper sanitization and escaping of a parameter before it is output back in the page, leading to a Reflected Cross-Site Scripting vulnerability. The issue has been assigned CVE-2023-29430 and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 base score of 6.1 (MEDIUM) from NIST and 7.1 (HIGH) from Patchstack (NVD, WPScan).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into affected websites. These injected scripts would be executed when visitors access the compromised site. The unauthenticated nature of the vulnerability makes it particularly concerning as it can be exploited without requiring any level of authentication (Patchstack).

The vulnerability has been fixed in version 1.0.4 of the TheRoof theme. Website administrators are strongly advised to update to version 1.0.4 or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the theme can be updated to a fixed version (Patchstack).