CVE-2024-5647

EPSS 0.07%
Veröffentlicht 03.07.2025 09:22:19
Zuletzt bearbeitet 03.07.2025 15:13:53
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.

Mögliche Gegenmaßnahme

Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme: Update to version 4.0.6, or a newer patched version

BlossomThemes Social Feed: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Bold Page Builder: Update to version 5.1.3, or a newer patched version

Carousel Slider: Update to version 2.2.15, or a newer patched version

Divi Builder: Update to version 4.27.2, or a newer patched version

Essential Addons for Elementor – Popular Elementor Templates & Widgets: Update to version 6.0.5, or a newer patched version

Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Happy Addons for Elementor: Update to version 3.12.3, or a newer patched version

Robo Gallery – Photo & Image Slider: Update to version 3.2.23, or a newer patched version

WP Shortcodes Plugin — Shortcodes Ultimate: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder: Update to version 2.5.53, or a newer patched version

Divi: Update to version 4.27.2, or a newer patched version

Divi Extra: Update to version 4.27.2, or a newer patched version

OceanWP: Update to version 3.6.1, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 20

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme

Version *-4.0.5

SystemWordPress Plugin

≫

Produkt BlossomThemes Social Feed

Version *-2.0.5

SystemWordPress Plugin

≫

Produkt Bold Page Builder

Version *-5.1.2

SystemWordPress Plugin

≫

Produkt Carousel Slider

Version *-2.2.14

SystemWordPress Plugin

≫

Produkt Divi Builder

Version *-4.27.1

SystemWordPress Plugin

≫

Produkt Essential Addons for Elementor – Popular Elementor Templates & Widgets

Version *-6.0.4

SystemWordPress Plugin

≫

Produkt Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor

Version *-3.4.9

SystemWordPress Plugin

≫

Produkt Happy Addons for Elementor

Version *-3.12.2

SystemWordPress Plugin

≫

Produkt Robo Gallery – Photo & Image Slider

Version *-3.2.22

SystemWordPress Plugin

≫

Produkt WP Shortcodes Plugin — Shortcodes Ultimate

Version *-7.4.2

SystemWordPress Plugin

≫

Produkt Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder

Version *-2.5.52

SystemWordPress Theme

≫

Produkt Divi

Version *-4.27.1

SystemWordPress Theme

≫

Produkt Divi Extra

Version *-4.27.1

SystemWordPress Theme

≫

Produkt OceanWP

Version *-3.6.0

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerblossomthemes

≫

Produkt BlossomThemes Social Feed

Default Statusunaffected

Version <= 2.0.5

Version *

Status affected

Herstellermajeedraza

≫

Produkt Carousel Slider

Default Statusunaffected

Version <= 2.2.14

Version *

Status affected

Herstellerdivisupreme

≫

Produkt Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder

Default Statusunaffected

Version <= 2.5.52

Version *

Status affected

Herstellerrobosoft

≫

Produkt Photo Gallery, Images, Slider in Rbs Image Gallery

Default Statusunaffected

Version <= 3.2.22

Version *

Status affected

Herstellergutentor

≫

Produkt Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor

Default Statusunaffected

Version <= 3.4.9

Version *

Status affected

Herstelleroceanwp

≫

Produkt OceanWP

Default Statusunaffected

Version <= 3.6.0

Version *

Status affected

Herstellerthehappymonster

≫

Produkt Happy Addons for Elementor

Default Statusunaffected

Version <= 3.12.2

Version *

Status affected

Herstellerbadhonrocks

≫

Produkt Divi Torque – Plugin for Divi Theme and Builder

Default Statusunaffected

Version <= 4.0.5

Version *

Status affected

HerstellerElegant Themes

≫

Produkt Divi Builder

Default Statusunaffected

Version <= 4.27.1

Version *

Status affected

HerstellerElegant Themes

≫

Produkt Divi

Default Statusunaffected

Version <= 4.27.1

Version *

Status affected

HerstellerElegant Themes

≫

Produkt Divi Extra

Default Statusunaffected

Version <= 4.27.1

Version *

Status affected

Herstellerboldthemes

≫

Produkt Bold Page Builder

Default Statusunaffected

Version <= 5.1.2

Version *

Status affected

Herstellerwpdevteam

≫

Produkt Essential Addons for Elementor – Popular Elementor Templates and Widgets

Default Statusunaffected

Version <= 6.0.4

Version *

Status affected

Herstellergn_themes

≫

Produkt WP Shortcodes Plugin — Shortcodes Ultimate

Default Statusunaffected

Version <= 7.4.2

Version *

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.206

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	6.4	3.1	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.elegantthemes.com/api/changelog/divi.txt

https://www.wordfence.com/threat-intel/vulnerabilities/id/dae80fc2-3076-4a32-876d-5df1c62de9bd?source=cve

https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/trunk/vendor/magnific-popup/magnific-popup.js

https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/assets/front-end/js/lib-view/magnific-popup/jquery.magnific-popup.js

https://plugins.trac.wordpress.org/browser/bold-page-builder/trunk/content_elements_misc/js/jquery.magnific-popup.js

https://plugins.trac.wordpress.org/changeset/3154460/happy-elementor-addons

https://plugins.trac.wordpress.org/changeset/3153781/bold-page-builder

https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/js/robo_gallery.js#L56

https://www.elegantthemes.com/api/changelog/extra.txt

https://www.elegantthemes.com/api/changelog/divi-builder.txt

https://themes.trac.wordpress.org/changeset/244604/oceanwp

https://plugins.trac.wordpress.org/changeset/3153700/essential-addons-for-elementor-lite