CVE-2024-5925

Name of the Vulnerable Software and Affected Versions: Theron Lite theme for WordPress versions up to, and including, 2.0

Description: The issue allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages via the url parameter within the theme's Button shortcode. This is due to insufficient input sanitization and output escaping, making it possible for injected scripts to execute whenever a user accesses an injected page.

Recommendations: For Theron Lite theme for WordPress versions up to, and including, 2.0, avoid using the url parameter in the Button shortcode until a fix is available. As a temporary workaround, consider restricting access to the Button shortcode for users with Contributor-level access and above to minimize the risk of exploitation.