CVE-2024-39310: 
WordPress vulnerability analysis and mitigation

The Basil recipe theme for WordPress contains a Persistent Cross-Site Scripting (XSS) vulnerability (CVE-2024-39310) discovered in versions up to and including 2.0.4. The vulnerability exists in the post_title parameter due to insufficient input sanitization and output escaping. The issue was disclosed on July 1, 2024, and has been patched in version 2.0.5 (GitHub Advisory).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. While direct payload insertion is prevented by default WordPress validation, exploitation becomes possible when the Cooked plugin is installed, allowing attackers to inject malicious scripts through the title field of recipe post types (cp_recipe) (NVD).

When successfully exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses a compromised page, potentially leading to data theft, session hijacking, or other client-side attacks (GitHub Advisory).

Users should upgrade to Basil theme version 2.0.5 or later, which contains the security patch for this vulnerability (GitHub Advisory).