CVE-2024-13419

Medium CVSS: 6.4

Multiple plugins and/or themes for WordPress using Smart Framework are vulnerable to Stored Cross-Site Scripting due to a missing capability check on the saveOptions() and importThemeOptions() functions in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings which includes custom JavaScript that is enabled site-wide. This issue was escalated to Envato over two months from the date of this disclosure and the issue is still vulnerable.

Vendor

G5plus

Product

April

CWE

CWE-862

Yayın Tarihi

2025-05-02 04:15:45

Güncelleme

2025-05-06 14:57:41

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-862 April MEDIUM G5plus 2025

Referanslar

https://themeforest.net/item/beyot-wordpress-real-estate-theme/19514964 https://www.wordfence.com/threat-intel/vulnerabilities/id/07729c28-a73a-46f4-853e-116792d612f5?source=cve

Benzer Kayıtlar

Critical

CVE-2025-48126

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in…

Medium

CVE-2024-13420

Multiple plugins and/or themes for WordPress are vulnerable to unauthorized access due to a missing capability check on…

High

CVE-2024-13418

Multiple plugins and/or themes for WordPress are vulnerable to Arbitrary File Uploads due to a missing capability check…

Critical

CVE-2025-30849

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in…

Unknown

CVE-2025-24698

Cross-Site Request Forgery (CSRF) vulnerability in g5theme Essential Real Estate essential-real-estate allows Cross Site…

Critical

CVE-2024-13545

The Bootstrap Ultimate theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1…