Vulnerability Description
Multiple plugins and/or themes for WordPress using Smart Framework are vulnerable to Stored Cross-Site Scripting due to a missing capability check on the saveOptions() and importThemeOptions() functions in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings which includes custom JavaScript that is enabled site-wide. This issue was escalated to Envato over two months from the date of this disclosure and the issue is still vulnerable.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| G5Plus | April | <= 5.1 |
| G5Plus | Auteur | <= 7.1 |
| G5Plus | Benaa | <= 4.0.0 |
| G5Plus | Beyot | <= 6.0.6 |
Related Weaknesses (CWE)
References
- https://themeforest.net/item/beyot-wordpress-real-estate-theme/19514964Product
- https://www.wordfence.com/threat-intel/vulnerabilities/id/07729c28-a73a-46f4-853Third Party Advisory
FAQ
What is CVE-2024-13419?
CVE-2024-13419 is a vulnerability with a CVSS score of 6.4 (MEDIUM). Multiple plugins and/or themes for WordPress using Smart Framework are vulnerable to Stored Cross-Site Scripting due to a missing capability check on the saveOptions() and importThemeOptions() functio...
How severe is CVE-2024-13419?
CVE-2024-13419 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-13419?
Check the references section above for vendor advisories and patch information. Affected products include: G5Plus April, G5Plus Auteur, G5Plus Benaa, G5Plus Beyot.