CVE-2024-5647

Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library

Severity Score

6.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

MITRE

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.

*Credits: Craig Smith,Webbernaut

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-06-04 CVE Reserved
2025-07-02 CVE Published
2025-07-09 EPSS Updated
2025-07-23 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (16)

URL	Tag	Source
https://www.wordfence.com/threat-intel/vulnerabilities/id/dae80fc2-3076-4a32-876d-5df1c62de9bd?source=cve
https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/trunk/vendor/magnific-popup/magnific-popup.js
https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/assets/front-end/js/lib-view/magnific-popup/jquery.magnific-popup.js
https://plugins.trac.wordpress.org/browser/bold-page-builder/trunk/content_elements_misc/js/jquery.magnific-popup.js
https://plugins.trac.wordpress.org/changeset/3154460/happy-elementor-addons
https://plugins.trac.wordpress.org/changeset/3153781/bold-page-builder
https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/js/robo_gallery.js#L56
https://www.elegantthemes.com/api/changelog/divi.txt
https://www.elegantthemes.com/api/changelog/extra.txt
https://www.elegantthemes.com/api/changelog/divi-builder.txt
https://themes.trac.wordpress.org/changeset/244604/oceanwp
https://plugins.trac.wordpress.org/changeset/3153700/essential-addons-for-elementor-lite
https://plugins.trac.wordpress.org/changeset/3184626/addons-for-divi
https://plugins.trac.wordpress.org/changeset/3201991/robo-gallery
https://plugins.trac.wordpress.org/changeset/3166204/carousel-slider
https://github.com/dimsemenov/Magnific-Popup/releases/tag/1.2.0

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Blossomthemes Search vendor "Blossomthemes"		BlossomThemes Social Feed Search vendor "Blossomthemes" for product "BlossomThemes Social Feed"				<= 2.0.5 Search vendor "Blossomthemes" for product "BlossomThemes Social Feed" and version " <= 2.0.5"		en		Affected
Majeedraza Search vendor "Majeedraza"		Carousel Slider Search vendor "Majeedraza" for product "Carousel Slider"				<= 2.2.14 Search vendor "Majeedraza" for product "Carousel Slider" and version " <= 2.2.14"		en		Affected
Divisupreme Search vendor "Divisupreme"		Supreme Modules Lite – Divi Theme, Extra Theme And Divi Builder Search vendor "Divisupreme" for product "Supreme Modules Lite – Divi Theme, Extra Theme And Divi Builder"				<= 2.5.52 Search vendor "Divisupreme" for product "Supreme Modules Lite – Divi Theme, Extra Theme And Divi Builder" and version " <= 2.5.52"		en		Affected
Robosoft Search vendor "Robosoft"		Photo Gallery, Images, Slider In Rbs Image Gallery Search vendor "Robosoft" for product "Photo Gallery, Images, Slider In Rbs Image Gallery"				<= 3.2.22 Search vendor "Robosoft" for product "Photo Gallery, Images, Slider In Rbs Image Gallery" and version " <= 3.2.22"		en		Affected
Gutentor Search vendor "Gutentor"		Gutentor – Gutenberg Blocks – Page Builder For Gutenberg Editor Search vendor "Gutentor" for product "Gutentor – Gutenberg Blocks – Page Builder For Gutenberg Editor"				<= 3.4.9 Search vendor "Gutentor" for product "Gutentor – Gutenberg Blocks – Page Builder For Gutenberg Editor" and version " <= 3.4.9"		en		Affected
Oceanwp Search vendor "Oceanwp"		OceanWP Search vendor "Oceanwp" for product "OceanWP"				<= 3.6.0 Search vendor "Oceanwp" for product "OceanWP" and version " <= 3.6.0"		en		Affected
Thehappymonster Search vendor "Thehappymonster"		Happy Addons For Elementor Search vendor "Thehappymonster" for product "Happy Addons For Elementor"				<= 3.12.2 Search vendor "Thehappymonster" for product "Happy Addons For Elementor" and version " <= 3.12.2"		en		Affected
Badhonrocks Search vendor "Badhonrocks"		Divi Torque – Plugin For Divi Theme And Builder Search vendor "Badhonrocks" for product "Divi Torque – Plugin For Divi Theme And Builder"				<= 4.0.5 Search vendor "Badhonrocks" for product "Divi Torque – Plugin For Divi Theme And Builder" and version " <= 4.0.5"		en		Affected
Elegant Themes Search vendor "Elegant Themes"		Divi Builder Search vendor "Elegant Themes" for product "Divi Builder"				<= 4.27.1 Search vendor "Elegant Themes" for product "Divi Builder" and version " <= 4.27.1"		en		Affected
Elegant Themes Search vendor "Elegant Themes"		Divi Search vendor "Elegant Themes" for product "Divi"				<= 4.27.1 Search vendor "Elegant Themes" for product "Divi" and version " <= 4.27.1"		en		Affected
Elegant Themes Search vendor "Elegant Themes"		Divi Extra Search vendor "Elegant Themes" for product "Divi Extra"				<= 4.27.1 Search vendor "Elegant Themes" for product "Divi Extra" and version " <= 4.27.1"		en		Affected
Boldthemes Search vendor "Boldthemes"		Bold Page Builder Search vendor "Boldthemes" for product "Bold Page Builder"				<= 5.1.2 Search vendor "Boldthemes" for product "Bold Page Builder" and version " <= 5.1.2"		en		Affected
Wpdevteam Search vendor "Wpdevteam"		Essential Addons For Elementor – Popular Elementor Templates And Widgets Search vendor "Wpdevteam" for product "Essential Addons For Elementor – Popular Elementor Templates And Widgets"				<= 6.0.4 Search vendor "Wpdevteam" for product "Essential Addons For Elementor – Popular Elementor Templates And Widgets" and version " <= 6.0.4"		en		Affected
Gn Themes Search vendor "Gn Themes"		WP Shortcodes Plugin — Shortcodes Ultimate Search vendor "Gn Themes" for product "WP Shortcodes Plugin — Shortcodes Ultimate"				<= 7.4.2 Search vendor "Gn Themes" for product "WP Shortcodes Plugin — Shortcodes Ultimate" and version " <= 7.4.2"		en		Affected