CVE-2024-43991: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in webdzier Hotel Galaxy WordPress theme, affecting versions through 4.4.24. The vulnerability was discovered and reported by security researcher stealthcopter, and was assigned CVE-2024-43991. The issue was published on August 29, 2024 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) issue. It has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L according to Patchstack's assessment. The National Vulnerability Database (NVD) rates it slightly lower at 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

This vulnerability could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site. The attack requires contributor-level privileges or higher to exploit (Patchstack).

Currently, there is no official fix available for this vulnerability. The issue affects Hotel Galaxy theme versions up to and including 4.4.24 (NVD).