CVE-2024-24871: 
WordPress vulnerability analysis and mitigation

The Blocksy WordPress theme contains a Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-24871, affecting versions up to and including 2.0.19. This security issue was discovered and reported on February 5, 2024, affecting installations where unfiltered_html has been disabled and multi-site installations (WPScan, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) with a CVSS v3.1 base score of 5.4 (MEDIUM) according to NIST, and 6.5 (MEDIUM) according to Patchstack. The issue stems from insufficient input sanitization and output escaping in the headers/footers functionality, allowing authenticated users with editor-level access to inject malicious web scripts (NVD, Patchstack).

The vulnerability allows authenticated attackers with editor-level privileges to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the compromised page, potentially leading to various malicious activities including data theft, session hijacking, or further compromise of the website (WPScan).

The vulnerability has been patched in version 2.0.20 of the Blocksy theme. Site administrators are advised to update to this version or later to resolve the security issue (Patchstack).