CVE-2024-47356 in Create Plugininfo

Summary

by MITRE • 10/06/2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchthemes Create create allows Stored XSS.This issue affects Create: from n/a through <= 2.9.1.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/05/2026

The vulnerability identified as CVE-2024-47356 represents a critical cross-site scripting weakness within the catchthemes Create theme for WordPress platforms. This flaw resides in the improper neutralization of input data during web page generation processes, creating a persistent security risk that allows attackers to execute malicious scripts in the context of affected users' browsers. The vulnerability specifically impacts versions of the Create theme from any initial release through version 2.9.1, indicating a long-standing issue that has remained unaddressed for an extended period.

The technical nature of this vulnerability classifies it as a stored cross-site scripting attack, meaning that malicious input submitted by an attacker is permanently stored on the server and subsequently served to other users without proper sanitization. This differs from reflected XSS attacks where the malicious payload is immediately reflected from the user's request, as stored XSS requires the payload to be saved and then executed during subsequent page loads. The flaw occurs during the web page generation phase, suggesting that the theme's templating engine or content processing functions fail to adequately escape or filter user-supplied data before rendering it within HTML contexts.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to hijack user sessions, steal sensitive cookies, perform unauthorized actions on behalf of victims, and potentially gain administrative access to compromised sites. Attackers could exploit this weakness by injecting malicious JavaScript code through various input fields within the theme's admin interface or frontend submission forms. The stored nature of the vulnerability means that once exploited, the malicious code persists and affects all users who view the affected pages, making it particularly dangerous for websites with high user interaction or content management capabilities.

This vulnerability aligns with CWE-79, which specifically addresses improper neutralization of input during web page generation, and represents a clear violation of secure coding practices for web application development. From an adversarial perspective, this weakness maps to multiple ATT&CK techniques including T1566.001 for initial access through malicious web content and T1071.001 for application layer protocol usage. The attack surface is particularly concerning given that WordPress themes are fundamental components of website functionality, and the Create theme is widely used across various website deployments. Organizations should prioritize immediate remediation by upgrading to a patched version of the theme, while implementing additional defensive measures such as content security policies, input validation, and regular security audits to prevent exploitation of similar vulnerabilities in other components of their web infrastructure.

Responsible

Patchstack

Reservation

09/24/2024

Disclosure

10/06/2024

Moderation

accepted

CPE

ready

EPSS

0.00210

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!