Astra < 4.6.5 – Editor+ Stored XSS via Theme Header/Footer | CVE 2024-29768 | Theme Vulnerabilities

Description

The theme is vulnerable to Stored Cross-Site Scripting via the theme header and footer content due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Themes

Fixed in 4.6.5

References

CVE

URL

https://patchstack.com/database/vulnerability/astra/wordpress-astra-theme-4-6-4-cross-site-scripting-xss-vulnerability

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Phill Sav (Savphill)

Verified

No

WPVDB ID

30fd2612-91f6-4c1b-8d0c-fa607edf4717

Timeline

Publicly Published

2024-03-25 (about 1 year ago)

Added

2024-03-28 (about 1 year ago)

Last Updated

2024-03-28 (about 1 year ago)

Other

Published

Title

Published

2024-04-29

Title

Sliding Widgets <= 1.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2025-12-20

Title

SureForms < 2.2.1 - Unauthenticated Stored XSS

Published

2025-04-01

Title

Hypotext <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-06-22

Title

Download Manager < 3.2.48 - Contributor+ Stored Cross-Site Scripting

Published

2017-03-01

Title

Gnucommerce < 1.4.2 - XSS