CVE-2024-43994: 
WordPress vulnerability analysis and mitigation

CVE-2024-43994 is a Stored Cross-Site Scripting (XSS) vulnerability discovered in CryoutCreations Kahuna WordPress theme versions up to 1.7.0. The vulnerability was publicly disclosed on August 29, 2024, and affects authenticated users with contributor-level access or higher (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and stems from insufficient input sanitization and output escaping in the theme. The CVSS v3.1 base score is rated as 5.4 (Medium) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack rates it at 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to various attacks including redirects, malicious advertisements, and other HTML payload executions (WPScan).

The vulnerability has been fixed in version 1.7.0.1 of the Kahuna theme. Users are advised to update to this version or later to mitigate the risk (WPScan).