WordPress Plugin Vulnerabilities

Magnific Popups JavaScript Library < 1.2.0 - Contributor+ Stored XSS

Description

Multiple plugins are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.

Affects Plugins

Plugin icon
addons-for-divi
Fixed in 4.0.6
Plugin icon
blossomthemes-instagram-feed
No known fix
Plugin icon
bold-page-builder
Fixed in 5.1.3
Plugin icon
carousel-slider
Fixed in 2.2.15
Plugin icon
divi-builder
Fixed in 4.27.2
Plugin icon
essential-addons-for-elementor-lite
Fixed in 6.0.5
Plugin icon
gutentor
Fixed in 3.5.0
Plugin icon
happy-elementor-addons
Fixed in 3.12.3
Plugin icon
robo-gallery
Fixed in 3.2.23
Plugin icon
shortcodes-ultimate
Fixed in 7.3.4
Plugin icon
supreme-modules-for-divi
Fixed in 2.5.53

Affects Themes

Divi
Fixed in 4.27.2
extra
Fixed in 4.27.2
oceanwp
Fixed in 3.6.1

References

CVE
CVE-2024-5647
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/dae80fc2-3076-4a32-876d-5df1c62de9bd

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
c2998af6-d000-4da5-a60d-dbc6e52474bf

Timeline

Publicly Published
2025-07-02 (about 8 months ago)
Added
2025-07-03 (about 8 months ago)
Last Updated
2025-12-09 (about 3 months ago)

Other

Published
Title
Published
2015-08-10
Title
Easy Table < 1.5.3 - Stored Cross-Site Scripting via CSRF
Published
2022-03-28
Title
Modern Events Calendar Lite < 6.4.7 - Reflected Cross-Site Scripting
Published
2024-08-09
Title
WC Marketplace < 4.2.0 - Reflected Cross-Site Scripting
Published
2017-08-18
Title
WPJobBoard < 5.0 - Multiple Cross-Site Scripting (XSS)
Published
2025-05-07
Title
Submission DOM tracking for Contact Form 7 < 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting