CVE-2024-5647
MEDIUMBlossomThemes Social Feed < 2.0.5 - Authenticated Stored Cross-Site Scripting via Magnific Popups Library
Title source: llmDescription
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.
References (16)
Core 16
Core References
Various Sources
https://www.elegantthemes.com/api/changelog/divi-builder.txt
Various Sources
https://www.elegantthemes.com/api/changelog/divi.txt
Various Sources
https://www.elegantthemes.com/api/changelog/extra.txt
Scores
CVSS v3
6.4
EPSS
0.0029
EPSS Percentile
21.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (18)
badhonrocks/Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme
< 4.0.5
badhonrocks/Divi Torque – Plugin for Divi Theme and Builder
< 4.0.5
blossomthemes/BlossomThemes Social Feed
< 2.0.5
boldthemes/Bold Page Builder
< 5.1.2
divisupreme/Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder
< 2.5.52
Elegant Themes/Divi
< 4.27.1
Elegant Themes/Divi Builder
< 4.27.1
Elegant Themes/Divi Extra
< 4.27.1
gn_themes/WP Shortcodes Plugin — Shortcodes Ultimate
< 7.4.2
gutentor/Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor
< 3.4.9
... and 8 more
Published
Jul 03, 2025
Tracked Since
Feb 18, 2026