CVE-2024-10250: 
WordPress vulnerability analysis and mitigation

The Nioland WordPress theme contains a Reflected Cross-Site Scripting (XSS) vulnerability via the 's' parameter in versions up to and including 1.2.6. The vulnerability was discovered by researcher sav4n and was assigned CVE-2024-10250. The issue was publicly disclosed on October 22, 2024, and has been fixed in version 1.2.7 (WPScan, NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the theme's handling of the 's' parameter. This security flaw has been assigned a CVSS v3.1 score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Wordfence).

When exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. The successful exploitation could lead to theft of sensitive information or manipulation of the user's browser session (NVD).

The vulnerability has been patched in version 1.2.7 of the Nioland theme. Users are strongly advised to update to this version or later to protect against this security issue (Themeforest).