Stored Cross-Site Scripting in Smart Framework Plugins and Themes for WordPress
CVE-2024-13419
5.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 2 May 2025
What is CVE-2024-13419?
Multiple plugins and themes utilizing the Smart Framework for WordPress are at risk due to a vulnerability that allows authenticated users with Subscriber-level access and above to exploit missing capability checks in the saveOptions() and importThemeOptions() functions. This vulnerability enables attackers to manipulate plugin settings, potentially injecting malicious JavaScript that executes site-wide, posing significant risks to website security. Despite reporting the issue to Envato over two months ago, the vulnerability remains unresolved.
Affected Version(s)
April Framework * <= 5.1
Auteur Framework * <= 7.1
Benaa Framework * <= 4.0.0