WordPress Plugin Vulnerabilities

Divi Torque Lite – Divi Theme and Extra Theme < 4.0.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

Description

The Divi Torque Lite – Divi Theme and Extra Theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘support_unfiltered_files_upload’ function in all versions up to, and including, 3.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
addons-for-divi
Fixed in 4.0.0

References

CVE
CVE-2024-5892
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/78dae5be-a71b-45bc-8814-7cc86233ae90

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
a81ed99f-7d59-4d31-9bbf-29aca648e81a

Timeline

Publicly Published
2024-06-11 (about 1 year ago)
Added
2024-06-12 (about 1 year ago)
Last Updated
2024-06-12 (about 1 year ago)

Other

Published
Title
Published
2025-09-03
Title
Orbit Fox by ThemeIsle < 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-01-03
Title
CPT Bootstrap Carousel <= 1.12 - Reflected Cross-Site Scripting
Published
2024-05-01
Title
CM Tooltip Glossary < 4.3.4 - Admin+ Stored XSS
Published
2023-01-04
Title
Insert Pages < 3.7.5 - Contributor+ Stored XSS
Published
2023-01-24
Title
Watu Quiz < 3.3.8.2 - Reflected XSS