CVE-2024-5647

MEDIUM

BlossomThemes Social Feed < 2.0.5 - Authenticated Stored Cross-Site Scripting via Magnific Popups Library

Title source: llm
STIX 2.1

Description

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.

References (16)

Core 16
Core References

Scores

CVSS v3 6.4
EPSS 0.0029
EPSS Percentile 21.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (18)
badhonrocks/Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme < 4.0.5
badhonrocks/Divi Torque – Plugin for Divi Theme and Builder < 4.0.5
blossomthemes/BlossomThemes Social Feed < 2.0.5
boldthemes/Bold Page Builder < 5.1.2
divisupreme/Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder < 2.5.52
Elegant Themes/Divi < 4.27.1
Elegant Themes/Divi Builder < 4.27.1
Elegant Themes/Divi Extra < 4.27.1
gn_themes/WP Shortcodes Plugin — Shortcodes Ultimate < 7.4.2
gutentor/Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor < 3.4.9
... and 8 more
Published Jul 03, 2025
Tracked Since Feb 18, 2026