Envo Extra < 1.8.25 – Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget | CVE 2024-5645 | Plugin Vulnerabilities

Description

The Envo Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_css_id’ parameter within the Button widget in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 1.8.25

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/dbe53b09-84c6-4fb6-9a79-1e4987678129

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

3a1572b3-028a-4391-802d-cfc1546a2f5f

Timeline

Publicly Published

2024-06-06 (about 1 year ago)

Added

2024-06-06 (about 1 year ago)

Last Updated

2024-06-07 (about 1 year ago)

Other

Published

Title

Published

2023-03-14

Title

Easy Event calendar <= 1.0 - Admin+ Stored XSS

Published

2024-09-11

Title

amCharts: Charts and Maps < 1.4.5 - Reflected Cross-Site Scripting via Cross-Site Request Forgery

Published

2019-12-10

Title

Scoutnet Kalender <= 1.1.0 - Stored Cross-Site Scripting (XSS)

Published

2022-02-21

Title

Team Circle Image Slider With Lightbox < 1.0.16 - Reflected Cross-Site Scripting

Published

2025-08-22

Title

Recurring PayPal Donations < 1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting