CVE-2024-29768: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Brainstorm Force's Astra WordPress theme, affecting versions through 4.6.4. The vulnerability was reported on January 29, 2024, and publicly disclosed on March 25, 2024. This security issue specifically impacts the theme header and footer content functionality (Patchstack, WPScan).

The vulnerability stems from insufficient input sanitization and output escaping in the theme's header and footer content functionality. It has been assigned CVE-2024-29768 and received a CVSS v3.1 score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). This vulnerability specifically affects multi-site installations and installations where unfiltered_html has been disabled (Patchstack).

The vulnerability allows authenticated attackers with editor-level access to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to unauthorized actions, data theft, or site defacement (WPScan).

The vulnerability has been patched in Astra theme version 4.6.5. Users are advised to update to this version or later to resolve the security issue (Patchstack).