CVE-2024-47345 in Starter Templates Plugininfo

Summary

by MITRE • 10/06/2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Starter Templates astra-sites allows Stored XSS.This issue affects Starter Templates: from n/a through <= 4.4.0.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/05/2026

The vulnerability identified as CVE-2024-47345 represents a critical cross-site scripting flaw within the Brainstorm Force Starter Templates plugin, specifically impacting the astra-sites component. This weakness falls under the category of improper input neutralization during web page generation, creating a persistent security risk that allows attackers to execute malicious scripts in the context of affected user sessions. The vulnerability is classified as a stored XSS attack vector, meaning that malicious code can be permanently stored on the server and subsequently executed whenever users access affected pages, making it particularly dangerous for widespread impact.

The technical implementation of this vulnerability stems from inadequate sanitization of user-supplied input within the plugin's template generation processes. When users create or modify content through the starter templates interface, the system fails to properly validate and escape potentially malicious input before rendering it into web pages. This flaw enables attackers to inject malicious JavaScript code that persists in the database and executes whenever legitimate users view the affected content. The vulnerability affects all versions of the plugin up to and including version 4.4.0, indicating a long-standing issue that has remained unpatched for an extended period.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to hijack user sessions, steal sensitive information, and potentially escalate privileges within the affected WordPress environment. Attackers can leverage this vulnerability to perform actions such as modifying user permissions, accessing confidential data, or redirecting users to malicious websites. The stored nature of the XSS attack means that the malicious code remains active until manually removed from the database, creating a persistent threat that can affect multiple users over time. This vulnerability directly aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications.

Security professionals should prioritize immediate remediation of this vulnerability by updating to the latest version of the Brainstorm Force Starter Templates plugin where the issue has been addressed. Organizations should also implement additional defensive measures such as content security policies, input validation at multiple layers, and regular security scanning of their WordPress installations. The ATT&CK framework categorizes this vulnerability under T1566, specifically targeting the initial access phase through malicious content delivery, making it a critical vector for attackers seeking to establish persistent presence within target environments. Network monitoring should be enhanced to detect suspicious input patterns, and administrators should conduct thorough security audits of all installed plugins to identify similar vulnerabilities that may exist within the broader WordPress ecosystem.

Responsible

Patchstack

Reservation

09/24/2024

Disclosure

10/06/2024

Moderation

accepted

CPE

ready

EPSS

0.00249

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!