CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-9775

Medium Severity
SVRS
30/100
CVSSv3
NA/10
EPSS
0.00031/1

CVE-2024-9775 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Anih - Creative Agency WordPress Theme. This flaw allows authenticated attackers with administrator privileges to inject malicious web scripts into pages, impacting users who access those infected pages. The theme versions up to and including 2024 are affected due to insufficient input sanitization and output escaping.

The SVRS score of 30 indicates a moderate risk, lower than critical vulnerabilities requiring immediate patching. However, the vulnerability should not be ignored, especially on multi-site WordPress installations or those with unfiltered_html disabled. Successful exploitation could lead to account compromise, data theft, or website defacement. While the CVSS score is 0, indicating no base impact, the XSS vulnerability is still a threat depending on your specific configuration and user access levels. Mitigating this requires updating the theme and ensuring robust input validation and output escaping.

TAGS
In The Wild
VECTOR STRING
PUBLICATION DATE2024-11-09
LAST MODIFIED2024-11-12
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-9775 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Anih - Creative Agency WordPress Theme. This vulnerability arises from incomplete blacklist, insufficient input sanitization, and output escaping within the theme's admin settings. An attacker with administrator-level permissions or higher can inject malicious scripts into pages that execute when a user visits the injected page. This vulnerability impacts multi-site installations and installations where the unfiltered_html setting has been disabled.

SVRS: The vulnerability has a SOCRadar Vulnerability Risk Score (SVRS) of 46, indicating a moderate risk to the affected systems. While not considered critically urgent, this vulnerability still warrants attention and timely mitigation.

Key Insights

  • Impact: Successful exploitation of this vulnerability allows attackers to inject malicious scripts into web pages. This could lead to various harmful actions, including stealing sensitive information, manipulating user data, redirecting users to malicious websites, and gaining unauthorized access to the system.
  • Affected Systems: This vulnerability specifically impacts the Anih - Creative Agency WordPress Theme and only applies to multi-site installations or installations where the unfiltered_html setting has been disabled.
  • Exploit Status: No publicly available exploits have been reported for this vulnerability at the moment. However, given the vulnerability's nature, it is highly probable that exploits could be developed and utilized by malicious actors.
  • CISA Warnings: The Cybersecurity and Infrastructure Security Agency (CISA) has not issued a warning about this specific vulnerability yet. However, CISA frequently issues warnings about XSS vulnerabilities, emphasizing their potential for significant harm.

Mitigation Strategies

  • Upgrade the Theme: Update the Anih - Creative Agency WordPress Theme to the latest version, which will likely include patches addressing the vulnerability.
  • Input Sanitization: Implement robust input sanitization and validation techniques to prevent malicious scripts from being injected into the system. This can be achieved by using appropriate PHP functions, libraries, or WordPress plugins that handle input sanitization effectively.
  • Output Encoding: Ensure that all user-generated content is properly encoded before it is displayed on the website. This prevents the execution of malicious scripts within the web pages.
  • Security Audits: Conduct regular security audits of your WordPress website and themes. This helps identify vulnerabilities like XSS and other potential security risks.

Additional Information: If you have additional questions or require further clarification on this incident, please utilize the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

CVE-2024-9775 | Creative Agency Theme up to 2024 on WordPress cross site scripting
vuldb.com2025-03-01
CVE-2024-9775 | Creative Agency Theme up to 2024 on WordPress cross site scripting | A vulnerability has been found in Creative Agency Theme up to 2024 on WordPress and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-9775. The attack can be launched remotely. There is no exploit available.
vuldb.com
rss
forum
news

Social Media

CVE-2024-9775 Stored Cross-Site Scripting in Anih WordPress Theme for Admin Users The Anih - Creative Agency WordPress Theme is vulnerable to Stored Cross-Site Scripting (XSS) through admin settings in all versio... https://t.co/AIznGODe2a
0
0
0

Affected Software

No affected software found for this CVE

References

ReferenceLink
[email protected]https://themeforest.net/item/anih-creative-agency-wordpress-theme/36381357
[email protected]https://www.wordfence.com/threat-intel/vulnerabilities/id/8b2b6a6b-73c2-441e-893d-ec171a659546?source=cve

CWE Details

CWE IDCWE NameDescription
CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence