Stored Cross-Site Scripting in WordPress Plugins Using Magnific Popups Library
CVE-2024-5647

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Blossomthemes Social Feed; Carousel Slider; Supreme Modules Lite – Divi Theme, Extra Theme And Divi Builder; Photo Gallery, Images, Slider In Rbs Image Gallery
Vendor: CVE Published:; 3 July 2025

What is CVE-2024-5647?

Multiple WordPress plugins are vulnerable to Stored Cross-Site Scripting through the bundled Magnific Popups library, specifically versions prior to 1.2.0. This issue arises from insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level privileges to insert arbitrary scripts. When these scripts are executed, they can compromise user sessions and data integrity upon accessing the affected pages. This vulnerability was mitigated in version 1.2.0 of the Magnific Popups library, which introduced measures to prevent HTML loading in sensitive fields by default.

Affected Version(s)

BlossomThemes Social Feed * <= 2.0.5

Bold Page Builder * <= 5.1.2

Carousel Slider * <= 2.2.14

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/shortcodes-ult...

https://plugins.trac.wordpress.org/browser/essential-addo...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 3, 2025
Vulnerability Reserved
Jun 4, 2024

Credit

Craig Smith