CVE-2024-13667

Name of the Vulnerable Software and Affected Versions Uncode theme for WordPress versions up to, and including, 2.9.1.6

Description The issue is related to Stored Cross-Site Scripting, which occurs due to insufficient input sanitization and output escaping. This allows authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts in pages via the mle-description parameter. These scripts will execute whenever a user accesses an injected page.

Recommendations For versions up to, and including, 2.9.1.6, consider disabling the mle-description parameter to prevent exploitation until a patch is available. Restrict access to pages that use this parameter to minimize the risk of script injection. Update to a version that includes the necessary input sanitization and output escaping fixes to fully resolve the issue.