WordPress Plugin Vulnerabilities

Themify Builder < 7.6.6 - Reflected Cross-Site Scripting

Description

The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.6.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
themify-builder
Fixed in 7.6.6

References

CVE
CVE-2024-13319
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/69ac1e37-4e31-4dce-a2d6-07a4299995c5

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Colin Xu
Verified
No
WPVDB ID
7b195b0b-ddfd-47ad-83d9-12aa80ca005f

Timeline

Publicly Published
2025-01-21 (about 1 year ago)
Added
2025-01-21 (about 1 year ago)
Last Updated
2025-01-22 (about 1 year ago)

Other

Published
Title
Published
2025-07-21
Title
CM Map Locations < 2.1.7 - Reflected Cross-Site Scripting
Published
2024-10-31
Title
AtomChat < 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via atomchat Shortcode
Published
2026-03-30
Title
Auto Post Scheduler <= 1.84 - Cross-Site Request Forgery to Stored Cross-Site Scripting via aps_options_page
Published
2025-04-23
Title
MangBoard WP < 1.8.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Board Header And Footer
Published
2025-01-08
Title
Files Download Delay <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting