CVE-2024-39629: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ThemeGrill's Himalayas WordPress theme, affecting versions up to and including 1.3.2. The vulnerability was identified on July 22, 2024, and was assigned CVE-2024-39629. This security issue specifically impacts WordPress installations where the theme is active, particularly affecting multi-site installations and systems where unfilteredhtml has been disabled ([Patchstack](https://patchstack.com/database/vulnerability/himalayas/wordpress-himalayas-theme-1-3-2-cross-site-scripting-xss-vulnerability?s_id=cve), WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS 3.1 base score of 4.8 (MEDIUM) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. Patchstack assigned a slightly higher CVSS score of 5.9 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from insufficient input sanitization and output escaping in the theme's code (NVD).

The vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page. The impact is particularly significant for multi-site installations and systems where unfiltered_html has been disabled (WPScan).

As of the latest reports, there is no official patch available for this vulnerability. The issue is currently unpatched, and users are advised to implement additional security measures to protect their WordPress installations (Wordfence).