CVE-2024-10848: 
WordPress vulnerability analysis and mitigation

The NewsMunch theme for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-10848. The vulnerability affects all versions up to and including 1.0.35, discovered and disclosed on December 5, 2024. The issue stems from insufficient input sanitization and output escaping in the theme's handling of display names (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 6.4 (Medium), using the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue specifically relates to how the theme handles display names, where insufficient input sanitization and output escaping allows for the injection of malicious web scripts (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page, potentially compromising the security of site visitors (NVD).

Users of the NewsMunch WordPress theme should update to a version newer than 1.0.35 if available. Until an update is possible, site administrators should carefully monitor and restrict user privileges, particularly for accounts with Contributor-level access or higher (NVD).