Stored Cross-Site Scripting in WordPress Plugins Using Magnific Popups Library
CVE-2024-5647

6.4MEDIUM

What is CVE-2024-5647?

Multiple WordPress plugins are vulnerable to Stored Cross-Site Scripting through the bundled Magnific Popups library, specifically versions prior to 1.2.0. This issue arises from insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level privileges to insert arbitrary scripts. When these scripts are executed, they can compromise user sessions and data integrity upon accessing the affected pages. This vulnerability was mitigated in version 1.2.0 of the Magnific Popups library, which introduced measures to prevent HTML loading in sensitive fields by default.

Affected Version(s)

BlossomThemes Social Feed * <= 2.0.5

Bold Page Builder * <= 5.1.2

Carousel Slider * <= 2.2.14

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Craig Smith
.
CVE-2024-5647 : Stored Cross-Site Scripting in WordPress Plugins Using Magnific Popups Library