CVE-2024-5870

Name of the Vulnerable Software and Affected Versions: Tweaker5 theme for WordPress versions up to, and including, 1.2

Description: The issue is a Stored Cross-Site Scripting vulnerability due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages via the url parameter within the theme's Button shortcode. These scripts will execute whenever a user accesses an injected page.

Recommendations: For versions up to, and including, 1.2, consider disabling the Button shortcode until a patch is available to prevent exploitation. Restrict access to the url parameter within the Button shortcode to minimize the risk of arbitrary web script injection.