Stored Cross-Site Scripting in WordPress Plugins Using Magnific Popups Library
CVE-2024-5647

6.4MEDIUM

Key Information:

Vendor

WordPress
Status
Blossomthemes Social Feed
Carousel Slider
Supreme Modules Lite – Divi Theme, Extra Theme And Divi Builder
Photo Gallery, Images, Slider In Rbs Image Gallery
Vendor
CVE Published:
3 July 2025

What is CVE-2024-5647?

Multiple WordPress plugins are vulnerable to Stored Cross-Site Scripting through the bundled Magnific Popups library, specifically versions prior to 1.2.0. This issue arises from insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level privileges to insert arbitrary scripts. When these scripts are executed, they can compromise user sessions and data integrity upon accessing the affected pages. This vulnerability was mitigated in version 1.2.0 of the Magnific Popups library, which introduced measures to prevent HTML loading in sensitive fields by default.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

BlossomThemes Social Feed * <= 2.0.5

Bold Page Builder * <= 5.1.2

Carousel Slider * <= 2.2.14

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/shortcodes-ult...
https://plugins.trac.wordpress.org/browser/essential-addo...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Craig Smith
JSON
.